Configuring and Managing Security using the NNCLI and CLI Ethernet Routing Switch 8300 Software Release 2.2

Size: px
Start display at page:

Download "Configuring and Managing Security using the NNCLI and CLI Ethernet Routing Switch 8300 Software Release 2.2"

Transcription

1 Part No C June Great America Parkway Santa Clara, CA Configuring and Managing Security using the NNCLI and CLI Ethernet Routing Switch 8300 Software Release 2.2 * C*

2 2 Copyright Nortel Networks Limited All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document. Trademarks Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, Passport, and BayStack are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. Aegis is a trademark of Meetinghouse Data Communications, Inc. LINUX is a trademark of Linus Torvalds. Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation. Red Hat is a trademark of Red Hat, Inc. UNIX is a trademark of UNIX System Laboratories, Inc. Zone Labs is a trademark of Zone Labs, Inc. The asterisk after a name denotes a trademarked item. Restricted rights legend Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR Statement of conditions In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE C

3 3 In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties). Nortel Networks Inc. software license agreement This Software License Agreement ( License Agreement ) is between you, the end-user ( Customer ) and Nortel Networks Corporation and its subsidiaries and affiliates ( Nortel Networks ). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. Software is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment ( CFE ), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software. 2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided AS IS without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The foregoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply. Configuring and Managing Security using the NNCLI and CLI

4 4 4. General a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections (for non-dod entities) and 48 C.F.R (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction. c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York C

5 5 Contents Preface Before you begin About the NNCLI NNCLI command modes Accessing the NNCLI Returning to the CLI Text conventions Hard-copy technical manuals How to get help Chapter 1: Overview of security features CLI passwords Port lock feature Access policies for services SNMP version 3 (SNMPv3) SNMP engine snmpengineid Dispatcher Message processing Security Access control View-based Access Control (VACM) Secure Shell and Secure Copy SSH version 2 (SSH v2) SSH guidelines Key generation and removal Block SNMP SCP command RADIUS Configuring and Managing Security using the NNCLI and CLI

6 6 Contents How RADIUS works Configuring the RADIUS server Configuring the RADIUS client RADIUS authentication RADIUS accounting EAPoL EAPoL terminology Standard 802.1x configuration (single supplicant per port) EAPoL static-based security mode Non-standard 802.1x guest VLAN Guest VLAN Guest VLAN security mode Configuration guidelines for setting up a guest VLAN Enabling multiple EAPoL sessions per port Basic EAPOL multihost-based security Enhanced EAPOL multihost-based security EAPoL dynamic VLAN assignment RADIUS MAC centralization Working with RADIUS RADIUS configuration prerequisites for EAPoL RADIUS accounting for EAPoL Configuring the Ethernet Routing Switch 8300 for EAP and RADIUS System requirements TACACS TACACS+ architecture TACACS+ authentication TACACS+ authorization TACACS+ access levels Chapter 2: Setting passwords and locking ports using the NNCLI Roadmap of NNCLI password and lock port commands Changing passwords Resetting passwords Setting the port lock Enabling port lock C

7 Contents 7 Disabling port lock Chapter 3: Setting passwords and locking ports using the CLI Roadmap of CLI password and port lock commands Changing passwords Resetting passwords Setting the port lock Chapter 4: Configuring access policies using the NNCLI Roadmap of NNCLI access policy commands Enabling and disabling the access policy feature globally Configuring access policies Creating an access policy Allowing a network or device access to the switch Specifying the host and username for rlogin Assigning a precedence for the policy Naming an access policy Enabling or disabling an access policy Configuration example - access policies Chapter 5: Configuring access policies using the CLI Roadmap of CLI access policy commands Enabling the access policy feature globally Configuring access policies Creating an access policy Enabling an access service Allowing a network or device access to the switch Specifying the host and username for rlogin Assigning a precedence for the policy Naming an access policy Enabling or disabling an access policy Configuration example: access policies Chapter 6: Configuring SNMPv3 using the NNCLI Roadmap of NNCLI SNMPv3 commands Loading the encryption module Configuring and Managing Security using the NNCLI and CLI

8 8 Contents Creating a new user in the USM table Other USM commands Creating a new user group member Other member commands Creating v3 group access Other group-access commands Creating a new entry for the MIB in the View table Other MIB-view commands Creating a community Changing the default community strings Other community commands SNMPv3 configuration example SNMPv1/SNMPv2 configuration example Displaying SNMP system information Blocking SNMP Chapter 7: Configuring SNMPv3 using the CLI Roadmap of CLI SNMPv3 commands Loading the encryption module Creating a new user in the USM table Other USM commands Creating a new user group member Other group-member commands Creating v3 group access Other group-access commands Creating a new entry for the MIB in the View table Other MIB-view commands Creating a community Changing the default community strings Other community commands SNMPv3 configuration example SNMPv1/SNMPv2 configuration example Displaying SNMP system information Blocking SNMP C

9 Contents 9 Chapter 8: Configuring SSH using the NNCLI NNCLI commands for SSH Enabling the SSH server Configuring SSH Defining the action Enabling/disabling DSA authentication Enabling/disabling the SSH daemon Setting the maximum number of SSH sessions Enabling password authentication Setting the SSH connection port Enabling RSA authentication Setting the SSH authentication timeout Setting the SSH version Creating the user-defined access policy to enable service connections Loading the encryption module in the switch Viewing configured SSH parameters Chapter 9: Configuring SSH using the CLI CLI commands for SSH Enabling the SSH server Configuring SSH Defining the action Enabling/disabling DSA authentication Enabling/disabling the SSH daemon Setting the maximum number of SSH sessions Enabling password authentication Setting the SSH connection port Enabling RSA authentication Setting the SSH authentication timeout Setting the SSH version Creating the user-defined access policy to enable service connections Loading the encryption module in the switch Viewing configured SSH parameters Configuring and Managing Security using the NNCLI and CLI

10 10 Contents C Chapter 10: Setting up RADIUS servers Updating files for the BSAC RADIUS server Using a third-party RADIUS server Updating the dictionary file for a Merit Network server Updating files for the freeradius server Changing user access Subscriber and administrative interaction Configuring the BSAC or Merit Network server Configuring the freeradius server Enabling EAP authentication Chapter 11: Configuring RADIUS authentication and accounting using the NNCLI Roadmap of NNCLI RADIUS commands Configuring RADIUS on the switch Enabling and disabling RADIUS authentication Configuring RADIUS access priority attribute values Configuration example: RADIUS authentication Enabling RADIUS accounting Configuring RADIUS accounting attribute values Configuration example: RADIUS accounting Showing RADIUS information Configuring a RADIUS server Configuration example: adding a RADIUS server Showing RADIUS server configurations and server statistics Showing RADIUS authentication statistics Showing RADIUS accounting statistics Chapter 12: Configuring RADIUS authentication and accounting using the CLI Roadmap of CLI RADIUS commands Configuring RADIUS on the switch Enabling RADIUS authentication Configuring RADIUS access priority attribute values Configuration example: RADIUS authentication Enabling RADIUS accounting

11 Contents 11 Configuring RADIUS accounting attribute values Configuration example: RADIUS accounting Showing RADIUS information Configuring a RADIUS server Configuration example: adding a RADIUS server Showing RADIUS server configurations and server statistics Showing RADIUS authentication statistics Showing RADIUS accounting statistics Chapter 13: Configuring EAPoL using the NNCLI Roadmap of NNCLI EAPoL commands Configuration prerequisites Configuring EAPoL globally Adding an EAPoL-enabled RADIUS server Configuration example: adding an EAPoL-enabled RADIUS server Deleting an EAPoL-enabled RADIUS server Modifying EAPoL-enabled RADIUS server parameters Configuring EAPoL on a port Configuration example: configuring EAPoL on a port Configuring non-eapol clients on a port Changing the authentication status of a port Showing EAPoL statistics Showing the EAPoL status of the switch Showing EAPoL authenticator statistics Showing EAPoL authenticator diagnostics Showing EAPoL authenticator session statistics Showing EAPoL configuration statistics Showing EAPoL operation statistics Showing multiple clients session information Viewing the status of non-eapol clients that use RADIUS Viewing allowed non-eapol MAC addresses Chapter 14: Configuring EAPOL using the CLI Roadmap of CLI EAPoL commands Configuration prerequisites Configuring EAPoL globally Configuring and Managing Security using the NNCLI and CLI

12 12 Contents Adding an EAPoL-enabled RADIUS server Configuration example: adding an EAPoL-enabled RADIUS server Deleting an EAPoL-enabled RADIUS server Modifying EAPoL-enabled RADIUS server parameters Configuring EAPoL on a port Configuration example: configuring EAPoL on a port Configuring non-eapol clients on a port Changing the authentication status of a port Showing EAPoL statistics Showing the EAPoL status of the switch Showing EAPoL authenticator statistics Showing EAPoL authenticator diagnostics Showing EAPoL authenticator session statistics Showing EAPoL configuration statistics Showing EAPoL operation statistics Showing multiple clients session information Viewing the status of non-eapol clients that use RADIUS Viewing allowed non-eapol MAC addresses Chapter 15: Configuring TACACS+ using the NNCLI Roadmap of CLI TACACS+ commands Enabling TACACS+ authentication Showing TACACS+ information Configuring a TACACS+ server Configuration example: enabling TACACS+ and adding a TACACS+ server Chapter 16: Configuring TACACS+ using the CLI Roadmap of CLI TACACS+ commands Configuring TACACS+ on the switch Enabling TACACS Showing TACACS+ information Configuring a TACACS+ server Showing TACACS+ server configurations Configuration example: adding a TACACS+ server C

13 Contents 13 Chapter 17: NNCLI configuration examples Configuring EAPoL via Layer Configuration files Configuring EAPoL via Layer Configuration files Configuring SNMPv Configuration files Configuring TACACS Supported TACACS+ servers TACACS+ configuration example Configuring the TACACS+ server Chapter 18: CLI configuration examples Configuring EAPoL through L Configuration files Configuring EAPoL through L Configuration files Configuring SNMPv Configuration files Configuring TACACS Supported TACACS+ servers TACACS+ configuration example Configuring the TACACS+ server Appendix A: TACACS+ server configuration examples Configuration example: Cisco ACS server Configuration example: ClearBox server Configuration example: Linux freeware server Index Configuring and Managing Security using the NNCLI and CLI

14 14 Contents C

15 15 Figures Figure 1 USM association with VACM Figure 2 Overview of the SSH protocol Figure 3 SSH v2 protocols Figure 4 SSH user authentication protocol Figure 5 SSH connection protocol Figure 6 EAPoL standard 802.1x packet path example Figure 7 Standard 802.1x operational mode example Figure 8 EAPoL static-based security example Figure 9 Accessing the guest VLAN Figure 10 EAPoL Guest VLAN security example Figure 11 Basic EAPoL multihost-based security example Figure 12 Multiple EAPoL client example Figure 13 Enhanced EAPoL multihost-based security example Figure 14 Connecting the TACACS+ server through a local interface Figure 15 Connecting the TACACS+ server though the management interface Figure 16 config cli password command sample output Figure 17 config cli password command sample output Figure 18 access-policy policy network command sample output (network) Figure 19 access-policy policy network command sample output (device) Figure 20 access-policy policy command sample output Figure 21 config sys access-policy policy service commands output Figure 22 config sys access-policy policy command sample output (network) Figure 23 config sys access-policy policy command sample output (device) Figure 24 config sys access-policy policy command sample output Figure 25 FTP sample output from DOS window Figure 26 USM command sample output Figure 27 SNMPv3 group configuration sample output Figure 28 SNMPv3 group access configuration output Figure 29 MIB View configuration sample output Configuring and Managing Security using the NNCLI and CLI

16 16 Figures Figure 30 Community configuration sample output Figure 31 SNMP system information sample output Figure 32 FTP sample output from DOS window Figure 33 USM command sample output Figure 34 SNMPv3 group configuration sample output Figure 35 SNMPv3 group access configuration sample output Figure 36 MIB view commands sample output Figure 37 MIB view commands sample output Figure 38 config snmp-v3 community info output Figure 39 Community commands sample output Figure 40 show config module sys sample output Figure 41 Updating information for the BSAC or Merit Network server Figure 42 radius authentication command sample output Figure 43 radius acct command sample output Figure 44 show radius command sample output Figure 45 radius-server command sample output Figure 46 show radius-server command sample output Figure 47 show radius-server authentication-stat command sample output Figure 48 show radius-server accounting command sample output Figure 49 config radius authentication-enable command sample output Figure 50 config radius acct-enable command sample output Figure 51 config radius info sample output Figure 52 config radius server command sample output Figure 53 show radius server config sample command output Figure 54 show radius server stat authentication command sample output Figure 55 show radius server stat accounting command sample output Figure 56 radius-server host command sample output Figure 57 eapol configuration command sample output Figure 58 show eapol command sample output Figure 59 show interface FastEthernet eapol auth-stats sample output Figure 60 show interface FastEthernet eapol auth-diags sample output Figure 61 show interface FastEthernet eapol session-stats sample output Figure 62 show interface FastEthernet eapol config sample output Figure 63 show interface FastEthernet eapol oper-stats sample output C

17 Figures 17 Figure 64 show interface fastethernet eapol multi-host-session-stats command sample output Figure 65 show eapol multihost non-eap-mac status command sample output Figure 66 show eapol multihost non-eap-mac interface command sample output. 248 Figure 67 config radius server command sample output Figure 68 eapol configuration command sample output Figure 69 show sys eapol command sample output Figure 70 show ports info eapol auth-stats command sample output Figure 71 show ports info eapol auth-diags command sample output Figure 72 show ports info eapol session-stats command sample output Figure 73 show ports info eapol config command sample output Figure 74 show ports info eapol oper-stats command sample output Figure 75 show ports info eapol multi-host-session-stats command sample output 279 Figure 76 show ports info eapol radius-non-eap-mac command sample output Figure 77 show ports info eapol radius-non-eap-mac parameters Figure 78 show ports info eapol non-eap-mac command sample output Figure 79 Sample of show tacacs command output Figure 80 Sample of tacacs server command input Figure 81 Sample of config tacacs info command output Figure 82 Sample of config tacacs+ server command output Figure 83 EAPoL via L Figure 84 EAPoL via L Figure 85 SNMPv3 for users with different permissions/privacy protocols Figure 86 TACACS+ server and management PC on the same subnet Figure 87 EAPoL via L Figure 88 EAPoL via L Figure 89 SNMPv3 for users with different permissions/privacy protocols Figure 90 TACACS+ server and management PC on the same subnet Figure 91 Cisco ACS (version 3.2) main administration window Figure 92 Group Setup window Cisco ACS server configuration Figure 93 Network Configuration window server setup Figure 94 Network Configuration window client setup Figure 95 Group Setup window viewing the group setup Figure 96 User Setup window Cisco ACS server configuration Figure 97 General Extension Configurator Configuring and Managing Security using the NNCLI and CLI

18 18 Figures Figure 98 Creating a client entry Figure 99 Default realm Authentication tab Figure 100 Default realm Authorization tab Figure 101 Adding parameters for the query Figure 102 Authorization Query window Figure 103 Query parameters added to Authorization Attribute-Value Pairs window 337 Figure 104 Authorization attribute-value pairs added to Authorization tab Figure 105 Users table Microsoft Access Figure 106 ClearBox Server Manager Figure 107 Connect to... dialog box Figure 108 TACACS+ server connected Figure 109 Server configured successfully Figure 110 Unsuccessful connection to TACACS+ server Figure 111 Successful login Figure 112 Unsuccessful login Figure 113 Sample config file Linux TACACS+ server C

19 19 Tables Table 1 NNCLI command modes Table 2 Accounting events and logged information Table 3 Summary of accounting events and information logged Table x session termination mapping Table 5 Ethernet Routing Switch 8300 access levels Table 6 show radius-server authentication-stat command statistics Table 7 show radius-server accounting-stat command statistics Table 8 show radius server stat authentication command statistics Table 9 show radius server stat accounting command statistics Table 10 Eap Authenticator Statistics table parameters Table 11 Eap Authenticator Diagnostics table parameters Table 12 Eap Authenticator Session Statistics table parameters Table 13 Eap Config table parameters Table 14 Eap Oper Stats table parameters Table 15 show ports info eapol oper-stats parameters Table 16 show eapol multihost non-eap-mac status parameters Table 17 show eapol multihost non-eap-mac interface parameters Table 18 show ports info eapol auth-stats parameters Table 19 show ports info eapol auth-diags parameters Table 20 show ports info eapol session-stats parameters Table 21 show ports info eapol config parameters Table 22 show ports info eapol oper-stats parameters Table 23 show ports info eapol oper-stats parameters Table 24 show ports info eapol non-eap-mac parameters Configuring and Managing Security using the NNCLI and CLI

20 20 Tables C

21 21 Preface The Nortel* Ethernet Routing Switch 8300 is a flexible and multifunctional Layer 2/Layer 3 switch that supports diverse network architectures and protocols. The Ethernet Routing Switch 8300 provides security and control features such as Extensible Authentication Protocol over LAN (EAPoL), Simple Network Management Protocol, Version 3 (SNMP3), and Secure Shell (SSH). The Ethernet Routing Switch 8300 provides quality of service (QoS) for a high number of attached devices and supports future network requirements for QoS for critical applications, such as Voice over IP (VoIP). This guide describes the security features available for the Ethernet Routing Switch 8300 Software Release 2.2. The guide provides instructions for initializing and customizing the features using the Nortel* Command Line Interface (NNCLI) and the Ethernet Routing Switch 8300 Command Line Interface (CLI). To learn the basic structure and operation of the NNCLI, refer to NNCLI Command Line Reference for the Ethernet Routing Switch 8300 ( C). This reference guide describes the function and syntax of each NNCLI command. To learn the basic structure and operation of the Ethernet Routing Switch 8300 CLI, refer to CLI Command Line Reference for the Ethernet Routing Switch 8300 ( C). This reference guide describes the function and syntax of each CLI command. Before you begin This guide is intended for network administrators who have the following background: basic knowledge of networks, Ethernet bridging, and IP routing familiarity with networking concepts and terminology experience with windowing systems or GUIs Configuring and Managing Security using the NNCLI and CLI

22 22 Preface basic knowledge of network topologies Before using this guide, you must complete the following procedures. For a new switch: 1 Install the switch. For installation instructions, see Installing and Maintaining the Ethernet Routing Switch 8306 and 8310 Chassis ( C) and Installing Ethernet Routing Switch 8300 Series Modules ( C). 2 Connect the switch to the network. For more information, see Getting Started ( C). Ensure that you are running the latest version of Nortel Ethernet Routing Switch 8300 software. For information about upgrading the Ethernet Routing Switch 8300, see Upgrading to Ethernet Routing Switch 8300 Software Release 2.2 ( C). About the NNCLI This section describes the Nortel Command Line Interface (NNCLI) command modes you use to configure the Ethernet Routing Switch 8300 and the commands you use to access the NNCLI. You can access the NNCLI using the following methods: Telnet session rlogin local console port NNCLI command modes The NNCLI has four major command modes, listed in order of increasing privileges: User EXEC Privileged EXEC Global configuration C

23 Preface 23 Interface configuration Each mode provides a specific set of commands. The command set of a higher-privilege mode is a superset of a lower-privilege mode. That is, all lower-privilege mode commands are accessible when using a higher-privilege mode. The command modes are as follows: User EXEC mode This is the initial mode of access. By default, the User Access Verification Password for this mode is empty, and password checking is disabled. The password can be changed (and password checking enabled) by the system administrator in Global configuration mode. Once the password is changed, it is activated immediately. Privileged EXEC mode This mode is accessed from the User EXEC mode. When accessing this mode, you are prompted to provide a login name and password. The login name and password combination determines your access level in the Privileged EXEC mode and other higher modes. Global configuration mode This mode allows you to make changes to the running configuration. If the configuration is saved, these settings survive reboots of the switch. Interface configuration mode This mode allows you to modify either a logical interface, such as a VLAN, or a physical interface, such as a port/slot. From either the Global configuration mode or the Interface configuration mode, all the configuration parameters (both global and interface) can be saved to a file. The default name for the configuration parameters file is config.cfg. Alternative filenames can also be used. Configuring and Managing Security using the NNCLI and CLI

24 24 Preface Table 1 lists the NNCLI command modes, the prompts for each mode, the abbreviated name for each mode, and how to enter and exit each mode. Table 1 NNCLI command modes Command mode Prompt Mode name Command/mode to enter or exit mode User EXEC Passport-8300:5> exec Default mode when NNCLI is started logout to exit Privileged EXEC Passport-8300:5# privexec enable to enter from User EXEC mode disable to exit to User EXEC mode Global configuration Interface configuration Passport-8300:5(config)# config configure to enter from Privileged EXEC mode exit to exit to Privileged EXEC mode Passport-8300:5(config-if)# config-if interface to enter from Global configuration mode exit to exit to Global configuration mode Note: Prompts are expressed in this table using the format Passport-8300:5; however, prompts returned from your switch typically reflect the specific chassis you use. For example, if you use the 8310 chassis, the prompts use the format Passport-8310:5. Prompts can be customized, also, using the NNCLI command snmp-server name <prompt>. Refer to Getting Started ( C) for more information. Accessing the NNCLI When you first power up the Ethernet Routing Switch 8300, the default interface is the Ethernet Routing Switch 8300 CLI. To switch from the CLI to the NNCLI, you must change the NNCLI boot flag to true and save the boot configuration file using the following commands: Passport-8310:5# config boot flags nncli true Passport-8310:5# save boot C

25 Preface 25 You must reboot the switch for this change to take effect. After you reboot the switch, access the NNCLI using Telnet, rlogin, or the local console port. You can log in to the switch using your password and the default privilege password nortel. Use the following commands to: log in to the software using the default user name and password access Global configuration mode Login: xxxxx Password: xxxxx Passport-8310:5> enable Password: nortel Passport-8310:5# configure terminal Passport-8310:5(config)# Returning to the CLI Note: The config.cfg file for the CLI and the config.cfg file for the NNCLI are not compatible. If you decide to change the CLI mode to NNCLI, or the reverse, you must use the config.cfg file for the selected mode. To switch from the NNCLI to the CLI, enter the following commands: Passport-8310:5(config)# no boot flags nncli Passport-8310:5(config)# exit Passport-8310:5(config)# save boot You must reboot the switch for this change to take effect. Configuring and Managing Security using the NNCLI and CLI

26 26 Preface Text conventions This guide uses the following text conventions: angle brackets (< >) bold body text bold Courier text braces ({}) brackets ([ ]) ellipsis points (... ) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping <ip_address>, you enter ping Indicates objects such as window names, dialog box names, and icons, as well as user interface objects such as buttons, tabs, and menu items. Indicates command names, options, and text that you must enter. Example: Use the dinfo command. Example: Enter show ip {alerts routes}. Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is show ip {alerts routes}, you must enter either show ip alerts or show ip routes, but not both. Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is show ip interfaces [-alerts], you can enter either show ip interfaces or show ip interfaces -alerts. Indicate that you repeat the last element of the command as needed. Example: If the command syntax is ethernet/2/1 [<parameter> <value>]..., you enter ethernet/2/1 and as many parameter-value pairs as needed C

27 Preface 27 italic text plain Courier text separator ( > ) vertical line ( ) Indicates variables in command syntax descriptions. Also indicates new terms and book titles. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is show at <valid_route>, valid_route is one variable and you substitute one value for it. Indicates command syntax and system output, for example, prompts and system messages. Example: Set Trap Monitor Filters Shows menu paths. Example: Protocols > IP identifies the IP command on the Protocols menu. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is show ip {alerts routes}, you enter either show ip alerts or show ip routes, but not both. Hard-copy technical manuals You can download current versions of technical documentation for your Ethernet Routing Switch 8300 from the Nortel customer support web site at If, for any reason, you cannot find a specific document, use the Search function: 1 Click Search at the top right-hand side of the web page. The Search page opens. 2 Ensure the Support tab is selected. 3 Enter the title or part number of the document in the Search field. 4 Click Search. Configuring and Managing Security using the NNCLI and CLI

28 28 Preface You can print the technical manuals and release notes free, directly from the Internet. Use Adobe* Acrobat Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe Systems at the URL to download a free copy of the Adobe Acrobat Reader. How to get help If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel service program, contact Nortel Technical Support. To obtain contact information online, go to the web page and click Technical Support. Information about the Nortel Technical Solutions Centers is available from the web page. An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to the web page C

29 29 Chapter 1 Overview of security features This chapter describes security features that allow you to restrict access to the Ethernet Routing Switch You protect the control path using: Login and passwords Access policies, which allow you to specify the network/address that is allowed to use a service/daemon Secure protocols (for example, Secure Shell [SSH], Secure Copy [SCP], Simple Network Management Protocol [SNMP]) You protect the data path using: Layer 2 MAC address filtering Layer 3 filtering (for example, IP, UDP/TCP filtering) Mechanisms to prevent DOS (Denial of Service) attacks You can use the supported command line interfaces (NNCLI or the Ethernet Routing Switch 8300 CLI) to set up passwords and community strings for access to all the management functions of the switch. This chapter includes the following topics: Topic Page CLI passwords 30 Port lock feature 30 Access policies for services 31 SNMP version 3 (SNMPv3) 31 Secure Shell and Secure Copy 36 RADIUS 42 Configuring and Managing Security using the NNCLI and CLI

30 30 Chapter 1 Overview of security features Topic Page EAPoL 47 TACACS+ 77 CLI passwords The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the CLI through a console or telnet session. Community strings are stored in encrypted format and are not stored in the configuration file. If the switch is booted for the first time, the password is set to default values. A log is generated that indicates any changes you make. If you are using the Java Device Manager (Device Manager), you can also specify the number of allowed Telnet sessions and rlogin sessions. Caution: Please be aware that the default passwords/community strings are documented and well known. Nortel strongly recommends that you change the default passwords/community strings immediately after the first login. Note: For security purposes, if you fail to login correctly on the master CPU in three consecutive instances, the CPU locks for 60 seconds. Port lock feature The Port Lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is unlocked. For instructions on locking ports using the NNCLI and CLI, see Chapter 2, Setting passwords and locking ports using the NNCLI, on page 81 and Chapter 3, Setting passwords and locking ports using the CLI, on page 85, respectively C

31 Chapter 1 Overview of security features 31 Access policies for services You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various access services, such as Telnet, SNMP, HTTP, FTP, TFTP, or rlogin. Note: To access the backup CPU using the peer rlogin command, you must also set an access policy that enables rlogin access to the backup CPU. For information about the peer rlogin command, see Getting Started. For information about enabling access services for a specific policy using the NNCLI or the CLI, see Chapters 6 and 7, respectively. You can define network stations that are explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all. When you set up access policies, you can either: Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time. SNMP version 3 (SNMPv3) The Simple Network Management Protocol (SNMP) allows you to remotely collect management data and configure devices. An SNMP agent is a software process that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to either retrieve or modify. SNMP version 3 (SNMPv3) is an SNMP framework that supplements SNMPv2 by supporting the following: New SNMP message formats Configuring and Managing Security using the NNCLI and CLI

32 32 Chapter 1 Overview of security features Security for messages Access control Remote configuration of SNMP parameters An SNMP entity is an implementation of this architecture. Each such SNMP entity consists of an SNMP engine and one or more associated applications. SNMPv3 provides a means of security to the SNMP framework by supporting the following: Security for Messages Access Control Remote configuration of SNMP parameters New SNMP message format SNMP engine An SNMP engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it. snmpengineid Within an administrative domain, an snmpengineid is the unique identifier of an SNMP engine. Since there is a one-to-one association between SNMP engines and SNMP entities, the ID also uniquely and unambiguously identifies the SNMP entity within that administrative domain. The snmpengineid is generated during the boot processing. The SNMP engine contains a: Dispatcher Message Processing Subsystem Security Subsystem Access Control Subsystem C

33 Chapter 1 Overview of security features 33 Dispatcher There is one dispatcher in an SNMP engine. It allows for concurrent support of multiple versions of SNMP messages in the SNMP engine. It does so by: Sending and receiving SNMP messages to/from the network Determining the SNMP message version and interacting with the corresponding message processing model Providing an abstract interface to SNMP applications for delivery of a PDU to an application Providing an abstract interface for SNMP applications that allows them to send a PDU to a remote SNMP entity. Message processing The Message Processing subsystem prepares messages for sending and extracts data from received messages. The subsystem can contain multiple message processing models. Security Authentication Authentication within the User-based Security Model (USM) allows the recipient of a message to verify the message sender and whether the message has been altered. If authentication is used, the integrity of the message is verified. Authentication uses a secret key to produce a fingerprint of the message. This fingerprint is included in the message. The receiving entity uses the same secret key to validate the fingerprint. The authentication protocols supported using USM are HMAC-MD5 and HMAC-SHA-96. Privacy The USM is an encryption Protocol for privacy. Only the data portion of a message is encrypted, the header and the security parameters are not. The privacy protocol supported using the USM is CBC-DES Symmetric Encryption Protocol. Configuring and Managing Security using the NNCLI and CLI

34 34 Chapter 1 Overview of security features Security SNMPv3 security protects against the following: Modification of information protects against altering information in transit Masquerade protects against an unauthorized entity assuming the identity of an authorized entity Message Stream Modification protection against delaying or replaying messages Disclosure protects against eavesdropping Discovery procedure finds the SnmpEngineID of a SNMP entity for a given transport address or transport endpoint address. Time synchronization procedure facilitates authenticated communication between entities SNMPv3 does not protect against: Denial of service prevention of exchanges between manager and agent Traffic analysis general pattern of traffic between managers and agents Access control USM system In a USM system, the system uses a defined set of user identities for any authorized user on a particular SNMP engine. The user with authority on one SNMP engine must also have authorization on any SNMP engine with which the original SNMP engine communicates. The USM system provides the following levels of communications: NoAuthNoPriv Communications without authentication and privacy AuthNoPriv Communications with authentication and without privacy C

35 AuthPriv Communications with authentication and privacy Chapter 1 Overview of security features 35 Figure 1 shows the relationship between USM and View-based Access Control (VACM). Figure 1 USM association with VACM View-based Access Control (VACM) VACM provides groups access, group security levels, and context based on a predefined subset of MIB objects. These MIB objects define a set of managed objects and instances. Configuring and Managing Security using the NNCLI and CLI

36 36 Chapter 1 Overview of security features VACM is the standard access control mechanism for SNMPv3, and it provides: Authorization service to control access to MIB objects at the PDU level Alternative access control subsystems The access is based on principal, security level, MIB context, object instance, and type of access requested (read/write). VACM MIB defines the policy and allows remote management. Secure Shell and Secure Copy Secure Shell (SSH) is a client/server protocol that allows you to conduct secure communications over a network. SSH supports a variety of the public/private key encryption schemes available. Using the public key of the host server, the client and server negotiate to generate a session key known only to the client and the server. This one-time key is then used to encrypt all traffic between the client and the server. Secure CoPy (SCP) is a secure file transfer protocol. SCP replaces remote access utilities such as FTP with an encrypted alternative. Figure 2 on page 37 shows an overview of the SSH protocol C

37 Chapter 1 Overview of security features 37 Figure 2 Overview of the SSH protocol Client Public host keys Server Authentication Session key H,S Server host key public H/private H H Server key public S/private S User terminal Shell/server SSH agent MUX MUX Agent socket Locally forwarded TCP port Integrity Encryption Encryption Integrity TCP connection 10711EA Using a combination of host, server, and session keys, the SSH protocol provides strong authentication and secure communication over a non-secure network. The SSH protocol offers protection from the following security risks: IP spoofing IP source routing DNS spoofing man-in-the-middle/tcp hijacking attacks (interception of cleartext passwords and other data by intermediate hosts, or manipulation of data by people in control of intermediate hosts) eavesdropping/password sniffing Even if network security is compromised, traffic cannot be played back or decrypted, and the connection cannot be hijacked. The secure channel of communication provided by SSH does not provide protection against break-in attempts or denial-of-service (DoS) attacks. Configuring and Managing Security using the NNCLI and CLI

38 38 Chapter 1 Overview of security features The SSH protocol supports the following security features: Authentication identifies the SSH client. During the login process the SSH client is queried for a digital proof of identity. Supported authentications are RSA (SSH v1), DSA (SSH v2), and passwords (both SSH v1 and SSH v2). Encryption The SSH server uses encryption algorithms to scramble data and render it unintelligible, except to the receiver. Supported encryption is 3DES only. Integrity This guarantees that the data is transmitted from the sender to the receiver without any alteration. If any third party captures and modifies the traffic, the SSH server will detect the alteration. Note: Currently, 3DES is the only encryption algorithm supported for the 8000 series Ethernet Routing Switch. Due to export restrictions, the encryption capability has been separated from the main image. Refer to the release notes accompanying your software release for the latest information on how to download the 3DES encryption image. The SSH server does not function properly without the use of this image. The implementation of the SSH server in the 8000 series Ethernet Routing Switch enables the SSH client to make a secure connection to an 8000 series Ethernet Routing Switch, and will work with commercially available SSH clients. Note: You must use CLI to initially configure SSH. You can use Device Manager to change the SSH configuration parameters, however, Nortel recommends that you use CLI. Nortel also recommends that you use the console port to configure the SSH parameters C

39 Chapter 1 Overview of security features 39 SSH version 2 (SSH v2) SSH protocol, version 2 (SSH v2) is a complete rewrite of the SSH v1 protocol. SSH v1 contains multiple functions in a single protocol. SSH v2 divides the functions among three layers: SSH Transport Layer (SSH-TRANS) The SSH transport layer manages the server authentication and provides the initial connection between the client and the server. Once established, the transport layer provides a secure, full-duplex connection between the client and server. SSH Authentication Protocol (SSH-AUTH) The SSH authentication protocol runs on top of the SSH transport layer and authenticates the client-side user to the server. SSH-AUTH defines three authentication methods: public key, host-based, password. SSH-AUTH provides a single authenticated tunnel for the SSH connection protocol. SSH Connection Protocol (SSH-CONN) The SSH connection protocol runs on top of the SSH transport layer and user authentication protocols. SSH-CONN provides interactive login sessions, remote execution of commands, forwarded TCP/IP connections, and forwarded X11 connections. These richer services are multiplexed into the single encrypted tunnel provided by the SSH transport layer. Figure 3 on page 40 shows SSH v2 protocols. Figure 4 on page 40 shows SSH user authentication protocol. Figure 5 on page 41 shows SSH connection protocol. Configuring and Managing Security using the NNCLI and CLI

40 40 Chapter 1 Overview of security features Figure 3 SSH v2 protocols SSH transport protocol C o m I E nc C o m I E nc Client Public host keys p r e s s i o n n t e g r i t y r y p t i o n Server Authentication Session key H,S p r e s s i o n n t e g r i t y r y p t i o n Server host key public H/private H H Server key public S/private S 10714EA Figure 4 SSH user authentication protocol SSH user authentication protocol User Key Public---Private Public key authenticator U User Key Public Password Password SSH signer Public---Private Hostbased user, host C Client Host Keys C 10713EA C

41 Chapter 1 Overview of security features 41 Figure 5 SSH connection protocol SSH connection protocol User terminal Channel Shell SSH agent Channel Agent socket Locally forwarded agent Channel TCP connection 10712EA The modular approach of SSH v2 offers improvements to the security, performance, and portability of the SSH v1 protocol. Note: The SSH v1 and SSH v2 protocols are not compatible. While the SSH implementation in the 8000 series Ethernet Routing Switch supports both versions of SSH, Nortel recommends use of the SSH v2 protocol because it is more secure than SSH v1. SSH guidelines The following section provide guidelines for implementing SSH: Key generation and removal Block SNMP on page 42 SCP command on page 42 Key generation and removal Generating keys requires that you have free space on the flash. A typical configuration requires less than 2 KBytes of free space. Before you generate a key, verify that you have sufficient space on the flash, using the dir command. If the flash is full when you attempt to generate a key, an error message appears and the key is not generated. If you receive the error message, you must delete unused files and re-generate the key. If you remove only the public keys, enabling the SSH does not create new ones. Configuring and Managing Security using the NNCLI and CLI

42 42 Chapter 1 Overview of security features Block SNMP The boot flag setting for block-snmp (config bootconfig flags block-snmp <true false>) and the runtime config SSH secure (config sys set ssh enable <true false secure>) each modify the block-snmp boot flag. If you enable SSH secure, the block-snmp boot flag is modified to true and the change takes effect after reboot. To set the block-snmp boot flag to false, first disable SSH secure mode. SCP command Nortel recommends that you use short filenames with the SCP command. The entire SCP command, including all options, usernames, and filenames should never exceed 80 characters. RADIUS Remote Access Dial-In User Services (RADIUS) is a distributed client/server system that assists in securing networks against unauthorized access, allowing a number of communication servers and clients to authenticate users identities through a central database. The database within the RADIUS server stores information about clients, users, passwords, and access privileges including the use of shared secret. RADIUS is a fully open and standard protocol defined by RFCs (authentication [RFC 2865] and accounting [RFC 2866]). The Ethernet Routing Switch 8300 uses RADIUS authentication and accounting to: secure access to the switch using Telnet, rlogin, or the console port track the management sessions (CLI only) This section includes the following topics: How RADIUS works, next Configuring the RADIUS server on page 43 Configuring the RADIUS client on page 44 RADIUS authentication on page C

43 Chapter 1 Overview of security features 43 RADIUS accounting on page 45 How RADIUS works A RADIUS application has two components: RADIUS server A computer equipped with server software (for example, a UNIX* workstation) that is located at a central office or campus. It has authentication and access information in a form that is compatible with the client. Typically, the database in the RADIUS server stores client information, user information, password, and access privileges, including the use of shared secret. A network can have one server for both authentication and accounting, or one server for each service. RADIUS client A switch, router, or a remote access server equipped with client software, that typically resides on the same local area network (LAN) segment as the server. The client is the network access point between the remote users and the server. The RADIUS process includes: RADIUS authentication, which allows you to identify remote users before you give them access to a central network site. RADIUS accounting, which enables data collection on the server during a remote user s dial-in session with the client. Configuring the RADIUS server The Ethernet Routing Switch 8300 software supports BaySecure Access Control (BSAC* now known as the Steel-Belted Radius server (SBR)), Merit Network, and freeradius servers. For instructions on installing the BSAC, Merit Network, or freeradius server software on the server that you use, see the installation manual that came with your software. After the software is installed, you must make changes to one or more configuration files for these servers. For detailed information about the changes that must be made for the BSAC, Merit Network, or freeradius server, see Chapter 10, Setting up RADIUS servers, on page 171. Configuring and Managing Security using the NNCLI and CLI

44 44 Chapter 1 Overview of security features After you have installed the software, configure the RADIUS server to respond to each of its clients. Make sure that the RADIUS server reaches the client by pinging the IP address of the client. If the server s IP interface can successfully ping the client, the server can provide authentication to that client. You must add user names ro, L1, L2, L3, rw, and rwa to the RADIUS server if authentication is enabled. Users not added to the server will be denied access. In addition to these usernames (ro, L1, L2, L3, rw, and rwa), you can create additional user names to access the switch. You assign an access priority to an individual user. These access priorities, which range from Non-Access to Read-Write-All-Access, determine a user s access level. The RADIUS server authenticates the user name and access priority that is assigned to that name. For detailed instructions on configuring a RADIUS server, including adding clients, users, and access priorities, refer to the documentation that came with the server software. Configure at least two RADIUS servers in the network to provide redundancy. A maximum of ten RADIUS servers is allowed in a single network. Each server is assigned a priority and is contacted in that order. Configuring the RADIUS client You use the Ethernet Routing Switch 8300 CLI, the NNCLI, or Device Manager to configure the RADIUS client so that it can contact its RADIUS server. To configure the client, you must: Enable RADIUS. Configure the IP address of the RADIUS server to be used. Configure the shared secret. This secret must match the one defined in the RADIUS server. Configure the access priority attribute value. This value must match the type value set in the dictionary file on the RADIUS server. The default value (192) is the recommended value. Configure the order or priority in which the RADIUS server is used (if you have more than one RADIUS server in the network). Set the UDP port that will be used by the client and the server during the authentication process. The UDP port between the client and the server must have the same value. For example, if the server is configured with UDP 1812, then the client must use the same UDP port value C

45 Chapter 1 Overview of security features 45 RADIUS authentication RADIUS authentication allows a remote server to authenticate users attempting to log in. The RADIUS server also provides access authority. RADIUS assists network security and authorization by managing a database of users. Use of the database allows the switch to verify user names and passwords, as well as information about the type of access priority available to the user. When the RADIUS client sends an authentication request, if the RADIUS server requires additional information, such as a SecurID number, it sends a challenge-response. Along with the challenge-response, a reply-message attribute is sent. The reply-message is a text string, such as Please enter the next number on your SecurID card:. The maximum length of each reply-message attribute is 253 characters (as defined by the RFC). If you have multiple instances of reply-message attributes that together form a large message that can be displayed to the user, the maximum length is 2000 characters. RADIUS accounting RADIUS accounting logs all of the activity of each remote user in a session on the centralized RADIUS accounting server. Session IDs for each RADIUS account are generated as 12-character strings. The first four characters in the string form a random number in hexadecimal format. The last eight characters in the string indicate, in hexadecimal format, the number of user sessions started since reboot. The Network Access Server (NAS) IP address for a session is the address of the switch interface to which the remote session is connected over the network. For a console session, modem session, and sessions running on debug ports, this value is set to (as is done with RADIUS authentication). Configuring and Managing Security using the NNCLI and CLI

46 46 Chapter 1 Overview of security features Table 2 summarizes events and associated accounting information logged at the RADIUS accounting server. Table 2 Accounting events and logged information Event Accounting information logged at server Accounting is turned on at router Accounting on request: Network Access Server (NAS) IP address. Accounting is turned off at router Accounting off request: NAS IP address. User logs in Accounting start request: NAS IP address Session Id Username More than 40 CLI commands are executed Accounting Interim request: NAS IP address Session Id CLI commands Username User logs off Accounting Stop request: NAS IP Address Session Id Session duration Username number of octets input for session number of octets output for session number of packets input for session number of packets output for session CLI commands When the switch communicates with the RADIUS accounting server, the following actions result: If the server sends an invalid response, the response is silently discarded and no attempt is made to resend the request. If the server does not respond within the user-configured timeout interval, a user-specified number of attempts is made. If a server does not respond to any of the retries, requests are sent to the next priority server (if configured). You can configure up to ten RADIUS servers for redundancy C

47 Chapter 1 Overview of security features 47 EAPoL Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. This protocol is part of the IEEE 802.1x standard, which defines port-based network access control. EAPoL provides security by preventing users from accessing network resources before they have been authenticated. Without authentication, any user can access a network to assume a valid identity and access confidential material, or launch Denial of Service (DoS) attacks. EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any endstation or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network. This section includes the following topics: EAPoL terminology, next Standard 802.1x configuration (single supplicant per port) on page 48 EAPoL static-based security mode on page 52 Non-standard 802.1x guest VLAN on page 54 Enabling multiple EAPoL sessions per port on page 59 EAPoL dynamic VLAN assignment on page 67 RADIUS MAC centralization on page 68 Working with RADIUS on page 71 RADIUS configuration prerequisites for EAPoL on page 72 System requirements on page 77 EAPoL terminology Some components and terms used with EAPoL-based security are: Supplicant, which is a device, such as a PC, that applies for access to the network. Authenticator, which is software on the Ethernet Routing Switch 8300 that authorizes or rejects a supplicant attached to the other end of a LAN segment. Configuring and Managing Security using the NNCLI and CLI

48 48 Chapter 1 Overview of security features Authentication Server, which is a RADIUS server that provides authorization services to the authenticator. Port Access Entity (PAE), which is software that controls each port on the switch. The PAE, which resides on the Ethernet Routing Switch 8300, supports the authenticator and supplicant functionalities. Controlled port, which is any port on the switch with EAPoL enabled. Standard 802.1x configuration (single supplicant per port) The Authenticator facilitates the authentication exchanges that occur between the Supplicant and the Authentication Server. The Authenticator PAE encapsulates the EAPoL message into a RADIUS packet and then sends the packet to the Authentication Server. The Authenticator also determines each controlled port s operational state. At system initialization, or when a Supplicant initially connects to one of the switch s controlled ports, the controlled port s state is set to Blocking (unless Guest VLAN or allow-non-eap-mac is set to enabled). After the Authentication Server notifies the Authenticator PAE about the success or failure of the authentication, the Authenticator changes the controlled port s operational state accordingly. The Ethernet Routing Switch 8300 switch transmits and receives EAPoL frames, regardless of whether the port is authorized or unauthorized. Non-EAPoL frames are transmitted according to the rules below: If authentication succeeds, the controlled port s operational state is set to Forwarding. This means that all the incoming and outgoing traffic is allowed through the port. If authentication fails, the controlled port forwards traffic according to how you configure the port s traffic control. The traffic control command can have one of the following two values: Incoming and Outgoing All non-eapol frames received on the controlled port are discarded, and the controlled port s state is set to Blocking. Incoming All non-eapol frames received on the port are discarded, but transmit frames are forwarded through the port C

49 Chapter 1 Overview of security features 49 Configuration example Figure 6 illustrates the EAPoL standard packet path between a supplicant, the authenticator (EEthernet Routing Switch 8300), and the RADIUS server. Figure 6 EAPoL standard 802.1x packet path example New client PC Supplicant 1 Request ID Ethernet Routing Switch 8300 Authenticator RADIUS Authentication Server 2 Send ID 3 Forward ID 5 Forward request for password 4 Request password 6 Send password 7 Forward password 9 Grant access to network 8 Authenticate new client 10 Access network Network 11153FB In the above example, the Ethernet Routing Switch 8300 uses the following steps to authenticate a new client: 1 The Ethernet Routing Switch 8300 detects a new connection on one of its EAPoL-enabled ports and requests a user ID from the new client PC. 2 The new client sends its user ID to the switch. 3 The switch uses RADIUS to forward the user ID to the RADIUS server. 4 The RADIUS server responds with a request for the user s password. 5 The switch forwards the RADIUS server s request to the new client. Configuring and Managing Security using the NNCLI and CLI

50 50 Chapter 1 Overview of security features 6 The new client sends an encrypted password to the switch, within the EAPoL packet. 7 The switch forwards the EAPoL packet to the RADIUS server. 8 The RADIUS server authenticates the password. 9 The switch grants the new client access to the network. 10 The new client accesses the network. Note: If the RADIUS server cannot authenticate the new client, the client is denied access to the network unless Guest VLAN and allow-non-eap-mac is enabled. To operate your Ethernet Routing Switch 8300 in the standard legacy 802.1x security mode, prepare the switch as follows: 1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby set for each account. 3 Set the EAPoL port properties to Admin-state Auto. Note: You cannot enable Guest VLAN or multi-host support while in the standard legacy 802.1x security mode. Figure 7 on page 51 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode C

51 Chapter 1 Overview of security features 51 Figure 7 Standard 802.1x operational mode example Port linkup A Restart Hosts respond to EAPoL Id request? No Block all traffic, except EAPoL. A Yes Start EAPoL supplicant process. EAP0L supplicant process successful? No Install discard filter for this MAC address. A Yes Create 802.1x host Id start PAE state. Forward all ingress and egress traffic. Key Off-page reference On-page reference 11360EA Configuring and Managing Security using the NNCLI and CLI

52 52 Chapter 1 Overview of security features EAPoL static-based security mode This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the EAPoL static-based security mode. When you operate the Ethernet Routing Switch 8300 in the EAPoL static-based security mode, the switch allows you to statically add up to eight hosts to the port MAC address table, while maintaining EAPoL security safeguards. When in this mode, the non-eap-mac feature allows you to override the PAE-state machine. Note: The EAPoL static-based security mode allows all configured hosts to have complete access to the same broadcast/unicast data on the port. Port behavior using this type of operational mode resembles that of a shared media concept, where you can insert a hub between the switch port and the hosts. In this mode, you can configure up to eight non-eap-mac hosts. Once enabled, MAC addresses of only eight hosts are learned or allowed. If the Ethernet Routing Switch 8300 senses more than eight hosts, the discard record is set for the new host. To operate your Ethernet Routing Switch 8300 in the EAPoL static-based security mode, prepare the switch as follows: 1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Disable non-eap-mac and add each MAC address in the format of XX:XX:XX:XX:XX:XX. 5 Enable non-eap-mac. The switch is now ready to accept frames from only the specified MACs C

53 Chapter 1 Overview of security features 53 Figure 8 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode. Figure 8 EAPoL static-based security example Port linkup A Restart Hosts respond to EAPoL Id request? Yes No Hosts respond to EAPoL Id request? Yes No Block all traffic for this specific MAC address. B Start EAPoL supplicant process. Learn MAC address in FDB. C B EAP0L supplicant process successful? No Install discard filter for this MAC address. A Yes C Create 802.1x host Id start PAE state. Forward all ingress and egress traffic. Key Off-page reference On-page reference 11362EA Configuring and Managing Security using the NNCLI and CLI

54 54 Chapter 1 Overview of security features Non-standard 802.1x guest VLAN This section describes how the Ethernet Routing Switch 8300 allows you to set up a guest VLAN for users connected on EAPoL-enabled ports. This section includes the following topics: Guest VLAN, next Guest VLAN security mode on page 56 Configuration guidelines for setting up a guest VLAN on page 58 Guest VLAN You can configure the switch to allow users connected on EAPoL-enabled ports to a guest network (with restricted access until the port is authenticated). This feature allows network access to users through the guest VLAN. A typical application for this scenario is for network partners, who are not currently registered, but can use the guest VLAN to register. Note: In the following scenario, there is only one user, or one personal computer (PC). The guest VLAN applies to IP telephones and PCs that do not have EAPoL stacks to access the guest VLAN. If any device, which has been provided guest access, is authenticated, the port moves to the assigned VLAN. Your Ethernet Routing Switch 8300 uses the following steps to enable the guest VLAN (refer to Figure 9 on page 55): 1 If Guest VLAN is enabled, the Ethernet Routing Switch 8300 moves EAPoL-enabled ports to the guest VLAN (Item 1 in Figure 9 on page 55). 2 When the Ethernet Routing Switch 8300 detects a new connection on one of its EAPoL-enabled ports, the switch requests a user Id from the new client (Item 2 and 3 in Figure 9 on page 55) C

55 Chapter 1 Overview of security features 55 3 When the new client replies with a user Id and password, the authenticator sends the information to the RADIUS server for authentication (Item 4 and 5 in Figure 9). 4 If the RADIUS server authenticates the new client, the port is placed in the assigned VLAN; otherwise, it remains in the Guest VLAN (Item 6 and 7 in Figure 9). Figure 9 Accessing the guest VLAN EAPoL-enabled ports Guest VLAN New client PC Supplicant 2 Port linkup Ethernet Routing Switch 8300 Authenticator Guest VLAN enabled EAPoL-enabled ports Restart EAPoL session 1 To Guest VLAN RADIUS Authentication Server 3 Request User Id 4 Send User Id and password 5 Forward User Id and password 6 Authenticate new client 7 Place port in assigned VLAN Network 11358FA Configuring and Managing Security using the NNCLI and CLI

56 56 Chapter 1 Overview of security features Guest VLAN security mode This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the EAPoL Guest VLAN security mode. In this mode, only a single untrusted host is supported on EAPoL-enabled ports. For this operating mode, although the host is untrusted, the Ethernet Routing Switch 8300 allows the host access to the network, as follows: 1 If the host responds to an EAPoL Identity Request, the host is treated similar to an 802.1x supplicant and enters the EAP authentication phase. 2 If EAPoL authentication is successful, the host is moved to the assigned VLAN. 3 If EAPoL authentication fails, or if there is no response to the EAPoL Identity Request, the port is moved to the Guest VLAN. To operate your Ethernet Routing Switch 8300 in the EAPoL Guest VLAN security mode, prepare the switch as follows: 1 Globally enable EAPoL on your switch. 2 Set the EAPoL port properties to Admin-state Auto. 3 Globally configure Guest VLAN ID on your switch. 4 Enable Guest VLAN support on the switch ports. Note: You cannot use Guest VLANs with multihost set to enabled. Note: The Guest VLAN feature only allows one MAC address to be learned. If a second MAC address is learned, a discard filter is installed for any additional MAC addresses learned by the switch C

57 Chapter 1 Overview of security features 57 Figure 10 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode. Figure 10 EAPoL Guest VLAN security example Port linkup Hosts respond to EAPoL Id request? No Learn host MAC address. Yes Start EAPoL supplicant process. A Hosts respond to EAPoL Id request? Yes No B A EAP0L supplicant process successful? No Port remains in Guest VLAN. B Yes Port is moved to assigned VLAN. B Create 802.1x host Id start PAE state. Forward all ingress and egress traffic. Key Off-page reference On-page reference 11362EA Configuring and Managing Security using the NNCLI and CLI

58 58 Chapter 1 Overview of security features Configuration guidelines for setting up a guest VLAN You must configure a global default guest VLAN (refer to Configuring guest networks: on page 59). Guest VLAN Support is a per-port option You can enable Guest VLANs with a valid Guest VLAN Id, per port. If the local Guest VLAN Id is not valid, you can still enable Guest VLAN features, as long as the configured global Guest VLAN Id is valid. The Guest VLAN must be a port-based VLAN. The Guest VLAN configuration settings are saved across resets. If the port authorization fails, the port is placed back into the Guest VLAN, and an authentication failure error log message is displayed. This feature affects ports in the EAP-Auto administrative state. It does not affect ports with force-authorized or force-unauthorized administrative state. When the port is EAPoL-enabled: If Guest VLAN is enabled, the port is placed in the Guest VLAN (for example, the port PVID = Guest VLAN Id). If Guest VLAN is not enabled, the port only services EAPoL packets until it is Authenticated. Although the port may be preconfigured with an association with a specific VLAN, only EAPOL packets are processed until Authentication is complete and successful. You cannot modify the Guest VLAN Id on an EAPoL-enabled port with Guest VLAN set to enabled. When the port is EAPoL-disabled, the port is placed back into the preconfigured VLAN. EAP Authentication: Upon successful Authentication, the port is placed in a preconfigured VLAN or a RADIUS-assigned VLAN. Upon Authentication Failure, if Guest VLAN is enabled, the port will be placed in a Guest VLAN. If Guest VLAN is not enabled, the port only services EAPoL packets. Explicit Log Off by the supplicant: If Guest VLAN is enabled, the port is placed in the Guest VLAN (for example, the port PVID = Guest VLAN Id). If Guest VLAN is not enabled, the port only services EAPoL packets C

59 Chapter 1 Overview of security features 59 ReAuthentication can be enabled for the authmac address. If ReAuthentication fails, the port is placed back into the Guest VLAN. Configuring guest networks: You can configure a guest VLAN using the NNCLI, CLI, or Device Manager. To configure a guest VLAN using the NNCLI, refer to Chapter 13, Configuring EAPoL using the NNCLI, on page 217. To configure a guest VLAN using the CLI, refer to Chapter 14, Configuring EAPOL using the CLI, on page 249. To configure a guest VLAN using Device Manager, refer to Configuring and Managing Security using Device Manager (part number C). Enabling multiple EAPoL sessions per port The multiple EAPoL feature allows for two modes of operation: Basic EAPOL multihost-based security on page 60 When in this operational mode, the Ethernet Routing Switch 8300 supports up to eight EAPoL supplicants on a single switch port. If more than eight EAPoL supplicant are sensed by the Ethernet Routing Switch 8300, the port is shut down and a console message and trap is sent to Device Manager. Enhanced EAPOL multihost-based security on page 62 When in this operational mode, the Ethernet Routing Switch 8300 supports up to eight authenticated 802.1x EAPoL supplicants and, in addition, up to eight non-eapol MAC-based hosts can be supported on a single switch port. Configuring and Managing Security using the NNCLI and CLI

60 60 Chapter 1 Overview of security features Basic EAPOL multihost-based security This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode. When you operate your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode, your switch supports up to eight EAPoL supplicants on a single switch port. If the Ethernet Routing Switch 8300 senses more than eight EAPoL supplicants on the port, the port is blocked, a warning message is displayed on the console, and a trap is sent to the Device Manager application. To operate your Ethernet Routing Switch 8300 in the Basic EAPoL multihost-based security mode, prepare the switch as follows: 1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby, set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Set the multi-host parameter to enable, and set the max-allowed-hosts value to the desired number of hosts. Figure 11 on page 61 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode C

61 Chapter 1 Overview of security features 61 Figure 11 Basic EAPoL multihost-based security example Port linkup A Restart Hosts respond to EAPoL Id request? Yes No Block all traffic for this specific MAC address. Start EAPoL supplicant process. EAP0L supplicant process successful? No Install discard filter for this MAC address. A Yes Create 802.1x host Id start PAE state. Forward all ingress and egress traffic. Key Off-page reference On-page reference 11364EA Configuring and Managing Security using the NNCLI and CLI

62 62 Chapter 1 Overview of security features Enhanced EAPOL multihost-based security You can configure your Ethernet Routing Switch 8300 to allow multiple EAPoL clients and non-eapol clients to be connected on the same EAPoL-enabled port. Each client has to be authenticated before it can access the network. Traffic from unauthorized hosts is allowed on the controlled port as long as there is one authorized host on that port. To restrict network access for non-eapol clients, you add only the MAC addresses of trusted clients to the allowed MAC address list. Traffic from all other clients, whose MAC address is not present in the allowed MAC address list, is discarded. This section includes the following topics: Multiple EAPoL client example, next Prerequisites for using the Enhanced multihost-based security mode on page 63 Configuration guidelines for setting up multiple EAPoL sessions per port on page 66 Multiple EAPoL client example A typical application for this feature is a 2-port switch included in an IP telephone, which provides connectivity for the IP phone and the connected station (refer to Figure 12 on page 63) C

63 Chapter 1 Overview of security features 63 Figure 12 Multiple EAPoL client example New client PC supplicant Nortel IP telephone Hub Ethernet Routing Switch 8300 S1 8/1 RADIUS Authentication server IP telephone (with internal 2-port switch) EAPoL port 11359FB Prerequisites for using the Enhanced multihost-based security mode This section describes the configuration prerequisites for operating your Ethernet Routing Switch 8300 in the Enhanced EAPoL Multihost-based security mode. When you operate your Ethernet Routing Switch 8300 in the EAPoL Multihost-based security (with EAPoL MAC-based security) mode, you can add up to eight authenticated 802.1x supplicants on a single switch port and, in addition to the eight authenticated 802.1x supplicants, you can add up to eight more non-eapol MAC-based hosts. This port behavior is similar to the shared media concept, where you can connect a hub or an IP telephone to the switch port. This mode is designed with IP Telephone in mind, where you can have a non-eapol IP Telephone and a non-eapol supported host. If the IP Telephone does not support EAP authentication, you must enter the IP Telephone s MAC address in the allow non-eap-mac table. If the IP Telephone does support EAPoL, then the remaining eight non-eapol MAC-based hosts can be any host-type desired. Configuring and Managing Security using the NNCLI and CLI

64 64 Chapter 1 Overview of security features When in this mode, a new non-eap-mac feature allows you to override the PAE state machine. Note: This mode allows all configured hosts to have complete access to the same broadcast/unicast data on this port. To operate your Ethernet Routing Switch 8300 in the EAPoL Multihost-based security (with EAPoL MAC-based security) mode, prepare the switch as follows: 1 Globally enable EAPoL on your switch. 2 Configure a RADIUS server to include existing user accounts, and set the EAPoL configurations with usedby, set for each account. 3 Set the EAPoL port properties to Admin-state Auto. 4 Set Multi-host to enable and define the maximum number of hosts desired for this port. 5 Disable allow-non-eap-mac and add up to eight non-eap-mac MAC addresses in the format of XX:XX:XX:XX:XX:XX. 6 Enable allow-non-eap-mac. Figure 13 on page 65 shows how the Ethernet Routing Switch 8300 responds to a port request when in this operational mode C

65 Chapter 1 Overview of security features 65 Figure 13 Enhanced EAPoL multihost-based security example Port linkup A Restart Hosts respond to EAPoL Id request? Yes No Hosts respond to EAPoL Id request? Yes No Block all traffic for this specific MAC address. B Start EAPoL supplicant process. Learn MAC address in FDB. C B EAP0L supplicant process successful? No Install discard filter for this MAC address. A Yes C Create 802.1x host Id start PAE state. Forward all ingress and egress traffic. Key Off-page reference On-page reference 11362EA Configuring and Managing Security using the NNCLI and CLI

66 66 Chapter 1 Overview of security features Configuration guidelines for setting up multiple EAPoL sessions per port The following list provides configuration guidelines for setting up multiple EAPoL sessions per port: When multiple hosts is enabled per port: Upon the first successful authentication: Only EAPoL packets and data from the allowed MAC address is allowed on that port. As subsequent authentications complete, those MAC addresses are allowed as well. Only a predefined maximum number of authenticated users (MAC addresses) are allowed on a port. If allow-non-eap-clients is disabled on the port, any traffic coming from non-eapol MAC addresses is discarded. If allow-non-eap-clients is enabled on the port, the MAC Address is checked against the list of allowed-mac addresses in the non-eap-mac list. If the MAC Address is not in the list, the traffic to and from the MAC address is discarded. The default value for multiple authenticated host support, and non EAPoL clients is 1. The maximum number of multiple authenticated clients that you can configure on a port is eight. The maximum number of non-authenticated clients that you can configure on a port is eight. When the port is configured for multiple authentications, the control directions state machine is disabled. When the port is configured for multiple authentications, dynamic VLAN assignment from RADIUS is disabled. When multiple hosts is disabled per port: All MAC addresses created by EAPoL with discard bits set are deleted. When EAPoL is disabled on the port: All MAC addresses created by EAPoL with discard bits set are deleted C

67 Chapter 1 Overview of security features 67 Configuring multiple EAPoL sessions per port: You can configure multiple EAPoL sessions per port using the NNCLI, CLI, and Device Manager. To configure multiple EAPoL sessions using the NNCLI, refer to Chapter 13, Configuring EAPoL using the NNCLI, on page 217. To configure multiple EAPoL sessions using the CLI, refer to Chapter 14, Configuring EAPOL using the CLI, on page 249. To configure multiple EAPoL sessions using Device Manager, refer to Configuring and Managing Security using Device Manager (part number C). EAPoL dynamic VLAN assignment If EAPoL is enabled on a port, and then the port is authorized, the EAPoL feature dynamically changes the port s VLAN configuration according to preconfigured values, and assigns a new VLAN. The new VLAN configuration values are applied according to previously stored parameters (based on the user_id) in the RADIUS server. The following VLAN configuration values are affected: PVID Port priority When EAPoL is disabled on a port that was previously authorized, the port s VLAN configuration values are restored directly from the switch s non-volatile random access memory (NVRAM). The following exceptions apply to dynamic VLAN assignments: Dynamic VLAN assignment is not supported in multihost mode. The dynamic VLAN configuration values assigned by EAPoL are not stored in the switch s NVRAM. You can override the dynamic VLAN configuration values assigned by EAPoL; however, be aware that the values you configure are not stored in NVRAM. Configuring and Managing Security using the NNCLI and CLI

68 68 Chapter 1 Overview of security features When EAPoL is enabled on a port, and you configure values other than VLAN configuration values, those values are applied and stored in NVRAM. You cannot enable EAPoL on tagged ports or MLT ports. You cannot change the VLAN/STG membership of EAPoL authorized ports. You set up your Authentication Server (RADIUS server) for EAPoL dynamic VLAN assignments. The Authentication Server allows you to configure user-specific settings for VLAN memberships and port priority. When you log on to a system that has been configured for EAPoL authentication, the Authentication Server recognizes your user ID and notifies the switch to assign preconfigured (user-specific) VLAN membership and port priorities to the switch. The configuration settings are based on configuration parameters that were customized for your user ID and previously stored on the Authentication Server. RADIUS MAC centralization This feature allows the centralization of MAC addresses for non-eap clients (typically IP phones). An enable/disable flag is provided at the system level to globally enable/disable the RADIUS MAC centralization feature. Enabling RADIUS MAC centralization at port level takes effect only if the global flag is enabled. Multiple clients can be connected to an EAP-enabled port (with multi-host feature enabled). Each of these clients must be authenticated to gain access to the network. With allow-non-eap-clients enabled, traffic from the unauthorized host is allowed on the port. To restrict access to the non-eap clients, the MAC address of that client must be added to the non-eap MAC list. Traffic from clients that do not have a MAC address in the non-eap MAC undergo RADIUS-based MAC authentication. Note: To restrict access to the non-eap clients, the MAC address (username) of the client that is to be allowed access to the network, and its corresponding password must be configured on the RADIUS server C

69 Chapter 1 Overview of security features 69 For a non-eap client to be authenticated with RADIUS-based MAC authentication, an Access-Request packet is sent to the RADIUS server with the username and password attributes. The username is the MAC address of the non-eap host. The password is a string composed of the following, and in this order: source-ip (configured using the config radius server create <IP> secret <key> usedby eapol source-ip <IP> command) MAC address of the non-eap host slot number and port through which the non-eap host is connected to the switch Note: If the source IP is not configured, the IP address is used in the password string (password string contains as the IP string). The generated password is encrypted using MD5 hashing before sending the Access-Request packet to the radius server. If an entry is present for the non-eap user, then the RADIUS server authenticates the user by sending an Access-Accept packet to the switch. Traffic from a non-eap client that does not have a MAC address present in the non-eap MAC, and that cannot be authenticated by the RADIUS server, is discarded and a log message is generated. The user can configure the number of non-eap clients allowed for each port by configuring max-non-eap-clients. The max-non-eap-clients is the sum of the number of non-eap clients statically configured in the allowed list and the number of non-eap clients authenticated/rejected/pending by the RADIUS server. The config ethernet <slot/port> eapol non-eap-mac shut-down-on-intrusion enable/disable CLI command allows the user to choose whether to shutdown the port when the max-non-eap-clients limit is reached, and the current number of EAP sessions has reached the maximum number of EAP sessions configured. By default, this option is disabled. Configuring and Managing Security using the NNCLI and CLI

70 70 Chapter 1 Overview of security features If the user opts for shutdown, when non-eap-client [max + 1] is attained, with the maximum number of EAP sessions already reached, the port is shut down by changing the port state from auto to force-unauthorized. Trap and log messages are also added. If the user opts not to allow shutdown, a discard record is added for the non-eap client, and trap and log messages are sent. When RADIUS MAC centralization is enabled, and the allow-non-eap-mac feature is enabled, the MAC address of a non-eap client connecting to the switch is checked against the non-eap MAC list. There are two possible outcomes: If the user's MAC address is found in the non-eap MAC list, the user is allowed access to the network. If the user's Mac address is not in the non-eap MAC list, an Access-Request packet is sent to the RADIUS server with the username and password attributes. A discard record is added for this MAC address until the RADIUS server authenticates it. The port is in a forwarding state. When a response is received from the RADIUS server, the discard record is either cleared or retained depending on the result of the authentication. Upon successful authentication, the user is allowed access to the network. The MAC address is learned on the port. The MAC priority, returned by the RADIUS server, is assigned as the QoS for the non-eap MAC address. Dynamic assignment of VLANs is not done for non-eap clients. If the RADIUS server cannot authenticate the user, the src-discard/dst-discard bits per MAC can be set to drop the intruder MAC. Traffic from non-eap clients that do not have a MAC address assigned in the non-eap MAC list, nor in the user configuration file of the RADIUS server, is discarded and a log message is generated. To view the non-eap clients and their state (authenticated/rejected/pending), use the show port info eapol radius-non-eap-mac <slot/port> command. If allow-non-eap-mac is disabled on the EAP-enabled port, any traffic from non-eap MAC addressees is discarded using src-discard/dst-discard bits for the non-eap MAC C

71 Chapter 1 Overview of security features 71 The non-eap host is re-authenticated every time the MAC address is learned. If the switch encounters the an identical MAC address from another port, the non-eap host must be re-authenticated on the port on which it was originally authenticated. When RADIUS MAC centralization is disabled, but the allow-non-eap-mac feature is enabled, the MAC address of a non-eap client connecting to the switch is checked against the non-eap MAC list. There are two possible outcomes in this case: If the user's MAC address is found in the non-eap MAC list, the user is allowed access to the network. If the user's MAC address is not in the non-eap MAC list, the src-discard/dst-discard bits per MAC can be set to drop the intruder MAC. Traffic from the non-eap client whose MAC address is not present in the non-eap MAC list is discarded. Working with RADIUS RADIUS (Remote Access Dial-In User Services) is a distributed client/server system that authenticates users identity through a central database. RADIUS is a fully open and standard protocol, defined by RFCs (Authentication: 2865, Accounting 2866). In the Ethernet Routing Switch 8300, RADIUS performs the following functions: RADIUS authentication lets you identify remote users before you give them access to a central network site. A RADIUS application has two components, the RADIUS server and the RADIUS client. Configuring and Managing Security using the NNCLI and CLI

72 72 Chapter 1 Overview of security features The RADIUS server is a computer equipped with server software (for example, a UNIX* workstation) that is located at a central office or campus. It has authentication and access information in a form that is compatible with the client. Typically, the database in the RADIUS server stores client information, user information, password, and access privileges, including the use of shared secret. A network can have one server for both authentication and accounting, or one server for each service. Note: Radius accounting is not supported for this release. The RADIUS client can be a switch, router or a remote access server that is equipped with client software and that typically resides on the same local area network (LAN) segment as the server. The client is the network access point between the remote users and the server. In the configuration described in this manual (see Figure 6 on page 49), the RADIUS client software resides on the Ethernet Routing Switch RADIUS configuration prerequisites for EAPoL The RADIUS server should be connected to a force-authorized port. This ensures that the port is always available and not tied to whether the switch is EAPoL-enabled. To set up the Authentication Server, set the following Return List attributes for all user configurations (refer to your Authentication Server documentation): VLAN membership attributes Tunnel-Type: value 13, Tunnel-Type-VLAN Tunnel-Medium-Type: value 6, Tunnel-Medium-Type-802 Tunnel-Private-Group-Id: ASCII value 1 to 4094 (this value is used to identify the specified VLAN) Should be encoded by a string. For example, for VLAN 2, Tunnel-Private-Group-Id=''2''; for VLAN 10, Tunnel-Private-Group-Id=''10''. Port priority (vendor-specific) attributes Vendor Id: value 562, Nortel Vendor Id and value 1584, Bay Networks Vendor Id C

73 Chapter 1 Overview of security features 73 Attribute Number: value 1, Port Priority Attribute Value: value 0 (zero) to 7 (this value is used to indicate the port priority value assigned to the specified user) RADIUS accounting for EAPoL Ethernet Routing Switch 8300 supports accounting of EAPoL sessions using RADIUS accounting protocol. A user session is defined as the interval between the instance at which a user is successfully authenticated (port moves to authorized state) and the instance at which the port moves out of the authorized state. Table 3 on page 74 summarizes the accounting events and the information logged. Configuring and Managing Security using the NNCLI and CLI

74 74 Chapter 1 Overview of security features Table 3 Summary of accounting events and information logged. Event Radius Attributes Description User is authenticated by EAPoL and port enters authorized state User logs off and port enters un-authorized state Acct-Status-Type Nas-IP-Address Nas-Port Acct-Session-Id User-Name Acct-Status-Type Nas-IP-Address Nas-Port Acct-Session-Id User-Name Acct-Input-Octets Acct-Output-Octets Acct-Terminate-Cause Acct-Session-Time start IP address to represent Ethernet Routing Switch 8300 Port number on which the user is EAPoL authorized Unique string representing the session EAPoL user name stop IP address to represent Ethernet Routing Switch 8300 Port number on which the user is EAPoL un-authorized Unique string representing the session EAPoL user name Number of octets input to the port during the session Number of octets output to the port during the session Reason for terminating user session. Please see Table 4 for the mapping of 802.1x session termination cause to RADIUS accounting attribute. Session interval Table 4 on page 75 describes the mapping of 802.1x session termination cause to RADIUS accounting attribute C

75 Table x session termination mapping Chapter 1 Overview of security features 75 IEEE 802.1X dot1xauthsessionterminatecause Value RADIUS Acct-Terminate-Cause Value supplicantlogoff(1) User Request (1) portfailure(2) Lost Carrier (2) supplicantrestart(3) Supplicant Restart (19) reauthfailed(4) Reauthentication Failure (20) authcontrolforceunauth(5) Admin Reset (6) portreinit(6) Port Reinitialized (21) portadmindisabled(7) Port Administratively Disabled (22) notterminatedyet(999) N/A Configuring the Ethernet Routing Switch 8300 for EAP and RADIUS The Ethernet Routing Switch 8300, through which UBP users connect, must be configured to communicate with the RADIUS server to exchange EAP authentication information, as well as user role information. You must specify the IP address of the RADIUS server, as well as the shared secret (a password that authenticates the device with the RADIUS server as an EAP access point). EAP must be enabled globally on each device, and EAP authentication settings must be set on each device port through which EAP/UBP users will connect. Use the following procedure to set up the Ethernet Routing Switch 8300 for EAP and RADIUS: 1 Using the CLI, open a Telnet session. 2 Log in to the Ethernet Routing Switch Configuring and Managing Security using the NNCLI and CLI

76 76 Chapter 1 Overview of security features 3 Enter the following command to create a RADIUS server to be used by EAPoL: config radius server create <IPaddr> secret <secretkey> usedby eapol where: IPaddr is the IP address of your RADIUS server. This address tells the switch where to find the RADIUS server from which it will obtain EAP authentication and user role information. secretkey is the shared secret for RADIUS authentication. The shared secret is held in common by the RADIUS server and all EAP-enabled devices in your network. It authenticates each device with the RADIUS server as an EAP access point. When you configure your RADIUS server, you must use the same shared secret value that you use here. 4 Enter the following commands to enable the switch to communicate through EAP, and to globally enable session management: config sys set eapol enable config sys set eapol sess-manage true Note: When OPS learns interfaces on the switch, it sets the config ethernet slot/port sess-manage-mode command to true on individual interfaces. 5 Enter the following commands to enable switch ports for EAP authentication: config ethernet <slot/port> eapol admin-status auto config ethernet <slot/port> eapol reauthentication true 6 Enter the following command to save your changes: save For more information about configuring RADIUS and EAP for the Ethernet Routing Switch 8300, see the appropriate chapters in this manual. For more information about OPS and UBP, see the user documentation for your Optivity Policy Services 4.0 application C

77 Chapter 1 Overview of security features 77 System requirements The following are minimum system requirements for EAPoL: Ethernet Routing Switch 8300 running software release 2.1 and higher RADIUS server Steel Belted RADIUS* (version 4.7 and 5.0) Microsoft IAS (Windows 2000 SP4) Zone Labs* (Identity Server 5.1) Free RADIUS EAPoL clients (XP/Linux*) Microsoft Windows 2000 SP4 Microsoft Windows XP SP2 Aegis* (version ) available on Microsoft Windows 95 and beyond Odyssey Client Manager (version ) available on Microsoft Windows 95 and beyond Red Hat* 802.1x supplicant (version 9.0 with the appropriate package) You must specify the Microsoft Windows 2000 IAS server (or any generic RADIUS server that supports EAP) as the primary RADIUS server for these devices. You must also configure your switch for VLANs (both protocol-based and port-based) and EAPoL security. TACACS+ Ethernet Routing Switch 8300 supports the Terminal Access Controller Access Control System plus (TACACS+) client. TACACS+ is a security application implemented as a client/server-based protocol that provides centralized validation of users attempting to gain access to a router or network access server. TACACS+ differs from RADIUS in two important ways: TACACS+ is a TCP-based protocol Configuring and Managing Security using the NNCLI and CLI

78 78 Chapter 1 Overview of security features TACACS+ uses full packet encryption, rather than just encrypting the password (RADIUS authentication request) Note: TACACS+ encrypts the entire body of the packet, but uses a standard TACACS+ header. TACACS+ provides management of users who access a device through any of the management channels: Telnet, rlogin, FTP, SSH v1, and SSH v2. During the login process, the TACACS+ client initiates TACACS+ authentication and authorization sessions with the server. Note: Prompts for login and password occur prior to the authentication process. If both RADIUS and TACACS+ authentication are enabled, TACACS+ authentication always occurs before RADIUS authentication. If TACACS+ fails because there are no valid servers, then the username and password are used for RADIUS authentication. If RADIUS also fails, then the username and password are used for the local database. (That is, authentication is always attempted in the following order: TACACS+, RADIUS, the local database.) If TACACS+ returns an access denied packet, then the user is offered a new authentication attempt (login/password prompts are re-issued the authentication process is not passed to RADIUS). TACACS+ architecture You can configure TACACS+ on the Ethernet Routing Switch 8300 using the following methods: Connect the TACACS+ server through a local interface (see Figure 14 on page 79). Management PCs can reside on the out-of-band management port, serial port, or on the corporate network. The TACACS+ server is placed on the corporate network so that it can be routed to the Ethernet Routing Switch Connect the TACACS+ server through the management interface using an out-of-band management network (see Figure 15 on page 79) C

79 Chapter 1 Overview of security features 79 Figure 14 Connecting the TACACS+ server through a local interface Corporate network Management PC Ethernet Routing Switch 8300 TACACS+ server Figure 15 Connecting the TACACS+ server though the management interface Management PC Out-of-band management network Ethernet Routing Switch 8300 TACACS+ server 1 TACACS+ server 2 Multiple TACACS+ servers can be configured for backup authentication in both the local interface and out-of-band management network scenarios. The primary authentication server will be determined by server priority. TACACS+ authentication TACACS + authentication offers complete control of authentication through login/password dialog and response. The authentication session provides username/password functionality. Configuring and Managing Security using the NNCLI and CLI

80 80 Chapter 1 Overview of security features TACACS+ authorization The transition from the TACACS+ authentication to authorization phase is transparent to the user. Upon successful completion of the authentication session, an authorization session starts with the authenticated username. The authorization session provides access level functionality. TACACS+ access levels TACACS+ supports six Ethernet Routing Switch 8300 access levels. Table 5 shows the scheme used to map the access levels to TACACS+ privilege levels. Table 5 Ethernet Routing Switch 8300 access levels Ethernet Routing Switch 8300 access level Privilege level None (0) 0 READ ONLY (1) 1 L1 READ WRITE (2) 2 L2 READ WRITE (3) 3 L3 READ WRITE (4) 4 READ WRITE (5) 5 READ WRITE ALL (6) 6 Note: This version of TACACS+ does not support any other TACACS+ arguments in authorization requests, such as cmd, cmd-arg, acl, zonelist, addr, routing, and so on. If you attempt to configure any argument in authorization requests (other than access level and privilege level), the TACACS+ request is dropped by the switch and an error is recorded to system log C

81 Chapter 2 Setting passwords and locking ports using the NNCLI 81 This chapter describes how to set passwords and lock ports using the NNCLI. It includes the following topics: Topic Page Changing passwords 82 Resetting passwords 83 Setting the port lock 83 Roadmap of NNCLI password and lock port commands The following roadmap lists the NNCLI password and lock port commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command username <string> level {l1 l2 l3 ro rw rwa} portlock on portlock off Parameter Configuring and Managing Security using the NNCLI and CLI

82 82 Chapter 2 Setting passwords and locking ports using the NNCLI Changing passwords The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the NNCLI. To set new passwords for each access level or to change the login or password for the different access levels of the switch, use the following command from Global configuration mode: username <string> level {l1 l2 l3 ro rw rwa} where: string is the login name. The name can be up to 20 alphanumeric characters. l1 changes the layer 1 read write login and/or password. l2 changes the layer 2 read write login and/or password. l3 changes the layer 3 read write login and/or password. ro changes the read-only login and/or password. rw changes the read/write login and/or password. rwa changes the read/write/all login and/or password. Configuration example: passwords The following configuration example uses the commands described above to: Change the ro username to test. Change the old password of ro to View the modified access level information. Figure 16 on page 83 shows sample output using these commands C

83 Chapter 2 Setting passwords and locking ports using the NNCLI 83 Figure 16 config cli password command sample output Passport-8310:6(config)# username test level ro Enter the old password : ** Enter the New password : ****** Re-enter the New password : ****** Password changed successfully Passport-8310:6(config)#show username ACCESS LOGIN rwa rwa rw rw l3 l3 l2 l2 l1 l1 ro test Passport-8310:6(config)# Resetting passwords For recovery (passwords lost), you have to reset the switch and then apply the following command in Boot Monitor mode: monitor# reset-passwd For other issues related to passwords, please contact Nortel customer support. Setting the port lock The port lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is first unlocked. Configuring and Managing Security using the NNCLI and CLI

84 84 Chapter 2 Setting passwords and locking ports using the NNCLI Enabling port lock To enable the port lock feature globally, use the following command from Global configuration mode: portlock on To enable the port lock feature for a specific port or ports, use the following command from Interface configuration mode: interface FastEthernet slot/port[-<slot/port>][,...] lock port <slot/port[-<slot/port>][,...] Disabling port lock To disabling the port lock feature globally, use the following command from Global configuration mode: portlock off To disabling the port lock feature for a specific port or ports, use the following command from Interface configuration mode: interface FastEthernet slot/port[-<slot/port>][,...] no lock port <slot/port[-<slot/port>][,...] C

85 Chapter 3 Setting passwords and locking ports using the CLI 85 This chapter describes how to set passwords and lock ports using the Ethernet Routing Switch 8300 CLI. It includes the following topics: Topic Page Changing passwords 86 Resetting passwords 88 Setting the port lock 88 Roadmap of CLI password and port lock commands The following roadmap lists the CLI password and lock port commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command config cli password config sys set portlock <on off> Parameter info ro <username> l1 <username> l2 <username> l3 <username> rw <username> rwa <username> Configuring and Managing Security using the NNCLI and CLI

86 86 Chapter 3 Setting passwords and locking ports using the CLI Changing passwords The Ethernet Routing Switch 8300 is shipped with default passwords set for access to the CLI. To set new passwords for each access level or to change the login or password for the different access levels of the switch, use the following command: config cli password This command includes the following options: config cli password followed by: info ro <username> l1 <username> l2 <username> l3 <username> rw <username> rwa <username> Shows current level parameter settings. Changes the read-only login and/or password. username is the login name. Changes the layer 1 read/write login and/or password. username is the login name. Changes the layer 2 read/write login and/or password. username is the login name. Changes the layer 3 read/write login and/or password. username is the login name. Changes the read/write login and/or password. username is the login name. Changes the read/write/all login and/or password. username is the login name C

87 Chapter 3 Setting passwords and locking ports using the CLI 87 Configuration example: passwords The following configuration example uses the commands described above to: Change the ro username to test. Change the old password of ro to View the modified access level information. Figure 17 shows sample output using these commands. Figure 17 config cli password command sample output Passport-8310:5# config cli password ro test Enter the old password : ** Enter the New password : ****** Re-enter the New password : ****** Password changed successfully Passport-8310:5# config cli password info Sub-Context: clear config monitor show test trace Current Context: ACCESS rwa rw l3 l2 l1 ro LOGIN rwa rw l3 l2 l1 test Passport-8310:5# Configuring and Managing Security using the NNCLI and CLI

88 88 Chapter 3 Setting passwords and locking ports using the CLI Resetting passwords For recovery (passwords lost), you have to reset the switch and then apply the following command in Boot Monitor mode: monitor# reset-passwd For any other issue related to passwords, please contact Nortel customer support. Setting the port lock The Port Lock feature allows you to administratively lock a port or ports to prevent other users from changing port parameters or modifying port action. Locked ports cannot be modified in any way until the port is first unlocked. To enable or disable the port lock feature globally, use the following command: config sys set portlock <on off> where: on locks all ports. off unlocks all ports. To enable or disable the port lock feature for a specific port or ports, use the following command: config ethernet <slot/port[-<slot/port>][,...] lock <true false> where: true locks the specified port or ports. false unlocks the specified port or ports C

89 89 Chapter 4 Configuring access policies using the NNCLI You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SSH, HTTP, FTP, TFTP, or rlogin. You can enable or disable access services by setting flags from the Boot Monitor CLI or the NNCLI. Note: To access the backup CPU using the peer rlogin command, you must set an access policy that enables rlogin access to the backup CPU. See Getting Started ( C) for more information about the peer rlogin command. For information about enabling access services for a specific policy using the NNCLI, see Enabling or disabling an access policy on page 99. You can define network stations explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all. When you set up access policies, you can either: Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time. Configuring and Managing Security using the NNCLI and CLI

90 90 Chapter 4 Configuring access policies using the NNCLI This chapter includes the following topics: Topic Page Roadmap of NNCLI access policy commands 90 Enabling and disabling the access policy feature globally 92 Configuring access policies 92 Roadmap of NNCLI access policy commands The following roadmap lists the NNCLI access policy commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command access-policy no access-policy access-policy policy <policy ID> Parameter accesslevel <string> create disable enable host <ipaddr> ftp http rlogin mode <allow deny> name <name> network <ipaddr> <mask> precedence <value> ssh telnet tftp C

91 Chapter 4 Configuring access policies using the NNCLI 91 Command show access-policy [<polname>] access-policy policy <policy ID> create access-policy policy <policy ID > network <ipaddr> <mask> access-policy policy <policy ID > mode <allow deny> access-policy policy <policy ID > accesslevel <string> access-policy policy <policy ID > host <ipaddr> access-policy policy <policy ID > username <name> access-policy policy <policy ID > precedence <value> access-policy policy <policy ID > name <name> access-policy policy <policy ID> enable access-policy policy <policy ID> disable Parameter username <name> Configuring and Managing Security using the NNCLI and CLI

92 92 Chapter 4 Configuring access policies using the NNCLI Enabling and disabling the access policy feature globally To enable the access policy feature globally, use the following command from Global configuration mode: access-policy To disable the access policy feature globally, use the following command from Global configuration mode: no access-policy Configuring access policies To configure an access policy, use the following command from Global configuration mode: access-policy policy <policy ID> where: policy ID is the number that identifies the policy. The valid values are 1 to This command includes the following parameters: access-policy policy <policy ID> followed by: accesslevel <string> create disable enable host <ipaddr> Allows you to specify the level of access for a policy that will allow access. string is the access level. The valid options are ro, rw, or rwa. Creates the specified access policy on the switch. Disables the access policy on the switch. Enables the access policy on the switch For rlogin access, specifies the trusted host address C

93 Chapter 4 Configuring access policies using the NNCLI 93 access-policy policy <policy ID> followed by: ftp http rlogin mode <allow deny> name <name> network <ipaddr> <mask> precedence <value> ssh telnet tftp username <name> Enables FTP for the specified policy. The default is disable. Enables HTTP for the specified policy. The default is disable. Enables rlogin for the specified policy. The default is disable. Specifies whether this network address is allowed or denied access through the specified access service. The default is allow. Specifies the name of the access policy. The default name is policy <policy_id>. name can be from 0 to 15 characters. Specifies the IP address and the subnet mask that are being permitted or denied access through the specified access service. Specifies a precedence for the policy. value is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence. The default is 10. Enables SSH for the specified policy. The default is enable. Enables Telnet for the specified policy. The default is disable. Enables TFTP for the specified policy. The default is disable. For rlogin access, specifies the trusted host user name. name can be from 0 to 30 characters. To view the global access policy setting (on=enabled or off=disabled) and configuration information for all access policies, or for a specific access policy, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show access-policy [<polname>] Configuring and Managing Security using the NNCLI and CLI

94 94 Chapter 4 Configuring access policies using the NNCLI where: polname specifies the name of the access policy for which you want to view information. To display the global access policy setting (on=enabled or off=disabled), use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show access policy To delete an access policy, use the following command from Global configuration mode: no access-policy policy <policy ID> where: policy ID is the number that identifies the policy. The valid values are 1 to Creating an access policy To create an access policy, use the following command from Global configuration mode: access-policy policy <policy ID> create where: policy ID is the number that identifies the policy that you are creating. Allowing a network or device access to the switch You can configure network access to be scoped to a network or constrained to a single device on a network through the use of the network mask. The mask controls how much of the IP address is to be considered. For example, with a subnet mask of , only the first 3 octets of the IP address are examined. The fourth octet becomes 0, as in If a single device is to be examined, the subnet mask must be , which forces the entire IP address to be examined C

95 Chapter 4 Configuring access policies using the NNCLI 95 To specify the network to which you want to allow access, use the following command from the Global configuration mode: access-policy policy <policy ID > network <ipaddr> <mask> where: policy ID is the number that identifies the policy that you are creating. ipaddr is the IP address that is being permitted or denied access through the specified access service. mask is the subnet mask that is being permitted or denied access through the specified access service. Example 1 Create an access policy (policy 10). Indicate that the access policy is for a network with an IP address of and a mask of Display information about the configured access policies. Figure 18 on page 96 shows how to configure an access policy for a network using the access-policy policy network command. Configuring and Managing Security using the NNCLI and CLI

96 96 Chapter 4 Configuring access policies using the NNCLI Figure 18 access-policy policy network command sample output (network) Passport-8310:5(config)# access-policy policy 10 create Passport-8310:5(config)# access-policy policy 10 network Passport-8310:5(config)# show access-policy AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: http telnet ssh Precedence: 128 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Id: 10 Name: policy10 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Passport-8310:5(config)# Example 2 Create an access policy (policy 20) C

97 Chapter 4 Configuring access policies using the NNCLI 97 Indicate that the access policy is for a single device with an IP address of and a mask of Display information about the configured access policies. Figure 19 shows how to configure an access policy for a single device using the access-policy policy network command. Figure 19 access-policy policy network command sample output (device) Passport-8310:5(config)# access-policy policy 20 create Passport-8310:5(config)# access-policy policy 20 network Passport-8310:5(config)# show access-policy AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: http telnet ssh Precedence: 128 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Id: 20 Name: policy20 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Passport-8310:5(config)# Configuring and Managing Security using the NNCLI and CLI

98 98 Chapter 4 Configuring access policies using the NNCLI To specify whether this network address is allowed or denied access through an access service, use the following command from Global configuration mode: access-policy policy <policy ID > mode <allow deny> where: policy ID is the number that identifies the policy that you are creating. allow deny allows or denies access through the specified access service. If the policy is to allow access, to specify a level of access, use the following command from Global configuration mode: access-policy policy <policy ID > accesslevel <string> where: policy ID is the number that identifies the policy that you are creating. string is the access level (ro, rw, rwa) or equivalent community string designation (read-only, read/write, or read/write/all). Specifying the host and username for rlogin For rlogin access, you must specify a trusted host address and a trusted host user name. To specify the host address and user name, use the following commands from Global configuration mode: access-policy policy <policy ID > host <ipaddr> access-policy policy <policy ID > username <name> where: policy ID is the number that identifies the policy that you are creating. ipaddr is the trusted host address. name is the associated user name for this address. To access the switch, you must log in using the user name and host address that you specified in this section C

99 Assigning a precedence for the policy Chapter 4 Configuring access policies using the NNCLI 99 To assign a precedence for the policy, use the following command from Global configuration mode: access-policy policy <policy ID > precedence <value> where: policy ID is the number that identifies the policy that you are creating. value is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence. Naming an access policy To assign a name to the policy, use the following command from Global configuration mode: access-policy policy <policy ID > name <name> where: policy ID is the number that identifies the policy that you are creating. name is a string from 0 to 15 characters. Enabling or disabling an access policy To enable an access policy, use the following command from Global configuration mode: access-policy policy <policy ID> enable where: policy ID is the number that identifies the policy that you are enabling. The valid values are 1 to Configuring and Managing Security using the NNCLI and CLI

100 100 Chapter 4 Configuring access policies using the NNCLI To disable an access policy, use the following command from Global configuration mode: access-policy policy <policy ID> disable where: policy ID is the number that identifies the policy that you are disabling. The valid values are 1 to Configuration example - access policies The following configuration example uses the previously described commands to: Create access policy Set the network information for access policy 2345 to Set the username for access policy 2345 to test. Set the host for access policy 2345 to Set the name for access policy 2345 to testpolicy. Set the precedence for access policy 2345 to 100. Enable FTP for access policy Enable telnet for access policy View information about the access policy. Figure 20 on page 101 shows sample output using these commands C

101 Figure 20 access-policy policy command sample output Chapter 4 Configuring access policies using the NNCLI 101 Passport-8306:5(config)#access-policy policy 2345 create Passport-8306:5(config)#access-policy policy 2345 network Passport-8306:5(config)#access-policy policy 2345 username test Passport-8306:5(config)#access-policy policy 2345 host Passport-8306:5(config)#access-policy policy 2345 name testpolicy Passport-8306:5(config)#access-policy policy 2345 precedence 100 Passport-8306:5(config)#access-policy policy 2345 ftp Passport-8306:5(config)#access-policy policy 2345 telnet Passport-8306:5(config)#show access-policy AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: http telnet ssh Precedence: 128 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Id: 2345 Name: testpolicy PolicyEnable: true Mode: allow Service: ftp telnet Precedence: 100 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: test AccessLevel: readonly Usage: 0 Passport-8306:5(config)# Configuring and Managing Security using the NNCLI and CLI

102 102 Chapter 4 Configuring access policies using the NNCLI C

103 103 Chapter 5 Configuring access policies using the CLI You can control access to the switch by creating an access policy. An access policy specifies the hosts or networks that can access the switch through various services, such as Telnet, SSH, HTTP, FTP, TFTP, or rlogin. You can enable or disable access services by setting flags from the Boot Monitor CLI or the CLI. Note: To access the backup CPU using the peer rlogin command, you must set an access policy that enables rlogin access to the backup CPU. See Getting Started ( C) for more information about the peer rlogin command. For information about enabling access services for a specific policy using the CLI, see Enabling or disabling an access policy on page 114. You can define network stations explicitly allowed to access the switch or network stations explicitly forbidden to access the switch. For each service you can also specify the level of access, such as read-only or read/write/all. When you set up access policies, you can either: Globally enable the access policy feature, and then create and enable individual policies. Each policy takes effect immediately when you enable it. Create and enable individual access policies, and then globally enable the access policy feature to activate all the policies at the same time. Configuring and Managing Security using the NNCLI and CLI

104 104 Chapter 5 Configuring access policies using the CLI This chapter includes the following topics: Topic Page Roadmap of CLI access policy commands 104 Enabling the access policy feature globally 105 Configuring access policies 106 Roadmap of CLI access policy commands The following roadmap lists the CLI access policy commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command config sys access-policy enable <true false> config sys access-policy policy <pid> config sys access-policy policy <pid> service Parameter info accesslevel <level> create delete disable enable host <ipaddr> mode <mode> name <name> network <addr/mask> precedence <precedence> username <string> info ftp <enable disable> C

105 Chapter 5 Configuring access policies using the CLI 105 Command config sys access-policy policy <pid> network <addr/mask> config sys access-policy policy <pid> mode <allow deny> config sys access-policy policy <pid> accesslevel <level> config sys access-policy policy <pid> host <ipaddr> config sys access-policy policy <pid> username <string> config sys access-policy policy <pid> precedence <precedence> config sys access-policy policy <pid> name <name> config sys access-policy policy <pid> <enable disable> Parameter http <enable disable> rlogin <enable disable> ssh <enable disable> telnet <enable disable> tftp <enable disable> Enabling the access policy feature globally To enable the access policy feature globally, use the following command: config sys access-policy enable <true false> where: true enables the access-policy feature globally. false disables the access-policy feature globally. Configuring and Managing Security using the NNCLI and CLI

106 106 Chapter 5 Configuring access policies using the CLI Configuring access policies To configure an access policy, use the following command: config sys access-policy policy <pid> where: pid is the number that identifies the access policy. The valid values are 1 to This command includes the following parameters: config sys access-policy policy <pid> followed by: info accesslevel <level> create delete disable enable host <ipaddr> mode <mode> name <name> network <addr/mask> Shows information about the specified access policy. Allows you to specify the level of access if the policy is to allow access. level is the access level (ro, rw, or rwa). Creates the specified access policy on the switch. Removes the specified access policy from the switch. Disables the access policy on the switch. Enables the access policy on the switch For rlogin access, specifies the trusted host address. Specifies whether this network address is allowed or denied access through the specified access service. The default is allow. Specifies the name of the policy. The default name is policy <policy_id>. name can be from 0 to 15 characters. Specifies the IP address and subnet mask that are being permitted or denied access through the specified access service C

107 Chapter 5 Configuring access policies using the CLI 107 config sys access-policy policy <pid> followed by: precedence <precedence> username <string> Specifies a precedence for the policy. precedence is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence. The default is 10. For rlogin access, specifies the trusted host user name. string can be from 0 to 30 characters. Creating an access policy To create an access policy, use the following command: config sys access-policy policy <pid> create where: pid is the number that identifies the policy that you are creating. The valid values are 1 to Enabling an access service To enable or disable an access service for the specified policy, use the following command: config sys access-policy policy <pid> service where: pid is the number that identifies the policy. The valid values are 1 to Configuring and Managing Security using the NNCLI and CLI

108 108 Chapter 5 Configuring access policies using the CLI This command includes the following parameters: config sys access-policy policy <pid> service followed by: info ftp <enable disable> http <enable disable> rlogin <enable disable> ssh <enable disable> telnet <enable disable> tftp <enable disable> Shows the status (enable or disable) of the available access services for the specified policy. Enables or disables FTP for the specified policy. The default is disable. Enables or disables HTTP for the specified policy. The default is disable. Enables or disables rlogin for the specified policy. The default is disable. Enables or disables SSH for the specified policy. The default is disable. Enables or disables Telnet for the specified policy. The default is disable. Enables or disables TFTP for the specified policy. The default is disable. Configuration example: access policy and service The following configuration example uses the commands described above to: Enable FTP for access policy Enable telnet for access policy View the information for the access policy. Figure 21 on page 109 show sample output using these commands C

109 Chapter 5 Configuring access policies using the CLI 109 Figure 21 config sys access-policy policy service commands output Passport-8310:5# config sys access-policy policy 2345 service ftp enable Passport-8310:5# config sys access-policy policy 2345 service telnet enable Passport-8310:5# config sys access-policy policy 2345 service info Sub-Context: clear config dump monitor show test trace wsm asfm sam Current Context: Passport-8310:5# http : disable rlogin : disable telnet : enable ssh : disable tftp : disable ftp : enable Allowing a network or device access to the switch You can configure network access to be scoped to a network or constrained to a single device on a network through the use of the network mask. The mask controls how much of the IP address is to be considered. For example, with a subnet mask of , only the first 3 octets of the IP address are examined. The fourth octet becomes 0, as in If a single device is to be examined, the subnet mask must be , which forces the entire IP address to be examined. To specify the network or device to which you want to allow access, use the following command: config sys access-policy policy <pid> network <addr/mask> Configuring and Managing Security using the NNCLI and CLI

110 110 Chapter 5 Configuring access policies using the CLI where: pid is the number that identifies the policy that you are creating. The valid values are 1 to addr/mask is the IP address and subnet mask that are being permitted or denied access through the specified access service. Example 1 Create an access policy (policy 10). Indicate that the access policy is for a network with an IP address of and a mask of Display information about the configured access policies. Figure 22 on page 111 shows how to configure an access policy for a network using the config sys access-policy policy command C

111 Chapter 5 Configuring access policies using the CLI 111 Figure 22 config sys access-policy policy command sample output (network) Passport-8310:5# config sys access-policy policy 10 create Passport-8310:5# config sys access-policy policy 10 network / Passport-8310:5# show sys access-policy info AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: http telnet ssh Precedence: 128 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 245 Id: 10 Name: policy10 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Passport-8310:5# Example 2 Create an access policy (policy 20). Indicate that the access policy is for a single device with an IP address of and a mask of Display information about the configured access policies. Configuring and Managing Security using the NNCLI and CLI

112 112 Chapter 5 Configuring access policies using the CLI Figure 23 shows how to configure an access policy for a single device using the config sys access-policy policy command. Figure 23 config sys access-policy policy command sample output (device) Passport-8310:5# config sys access-policy policy 20 create Passport-8310:5# config sys access-policy policy 20 network / Passport-8310:5# show sys access-policy info AccessPolicyEnable: on Id: 1 Name: default PolicyEnable: true Mode: allow Service: http telnet ssh Precedence: 128 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 245 Id: 20 Name: policy20 PolicyEnable: true Mode: allow Service: Precedence: 10 NetAddr: NetMask: TrustedHostAddr: TrustedHostUserName: none AccessLevel: readonly Usage: 0 Passport-8310:5# To specify whether this network address is allowed or denied access through an access service, use the following command: config sys access-policy policy <pid> mode <allow deny> C

113 Chapter 5 Configuring access policies using the CLI 113 where: pid is the number that identifies the policy that you are creating. The valid values are 1 to allow deny allows or denies access through the specified access service. If the policy is to allow access, to specify a level of access, use the following command: config sys access-policy policy <pid> accesslevel <level> where: pid is the number that identifies the policy that you are creating. The valid values are 1 to level is the access level; the valid values are ro (read-only), rw (read-write), and rwa (read/write/all). Specifying the host and username for rlogin For rlogin access, you must specify a trusted host address and a trusted host user name. To specify the host address and user name, use the following commands: config sys access-policy policy <pid> host <ipaddr> config sys access-policy policy <pid> username <string> where: pid is the number that identifies the policy that you are creating. The valid values are 1 to ipaddr is the trusted host address. string is the associated user name for this address. To access the switch, you must log in using the user name and host address that you configure using these commands. Assigning a precedence for the policy To assign a precedence for the policy, use the following command: config sys access-policy policy <pid> precedence <precedence> Configuring and Managing Security using the NNCLI and CLI

114 114 Chapter 5 Configuring access policies using the CLI where: pid is the number that identifies the policy that you are creating. The valid values are 1 to precedence is a number from 1 to 128. This value determines which policy to use if multiple policies apply. Lower numbers have higher precedence. Naming an access policy To assign a name to the policy, use the following command: config sys access-policy policy <pid> name <name> where: pid is the number that identifies the policy that you are creating. name is a string from 1 to 15 characters. Enabling or disabling an access policy To enable or disable an access policy, use the following command: config sys access-policy policy <pid> <enable disable> where: pid is the number that identifies the policy that you are enabling or disabling. The valid values are 1 to enable disable enables or disables the specified policy C Configuration example: access policies The following configuration example uses the commands described above to: Create access policy View the information for the access policy. Set the network information for access policy 2345 to / Set the username for access policy 2345 to test. Set the host for access policy 2345 to Set the name for access policy 2345 to testpolicy.

115 Chapter 5 Configuring access policies using the CLI 115 Set the precedence for access policy 2345 to 100. View the information for the access policy. Figure 24 on page 116 shows sample output using these commands. Configuring and Managing Security using the NNCLI and CLI

116 116 Chapter 5 Configuring access policies using the CLI Figure 24 config sys access-policy policy command sample output Passport-8310:5# config sys access-policy policy 2345 create Passport-8310:5# config sys access-policy policy 2345 info Sub-Context: clear config monitor show test trace Current Context: create : delete : N/A name : policy2345 policy enable : true mode : allow precedence : 10 network : / host : username : none accesslevel : readonly Passport-8310:5# config sys access-policy policy 2345 network / Passport-8310:5# config sys access-policy policy 2345 username test Passport-8310:5# config sys access-policy policy 2345 host Passport-8310:5# config sys access-policy policy 2345 name testpolicy Passport-8310:5# config sys access-policy policy 2345 precedence 100 Passport-8310:5# config sys access-policy policy 2345 info Sub-Context: clear config monitor show test trace Current Context: Passport-8310:5# create : delete : N/A name : testpolicy policy enable : true mode : allow precedence : 100 network : / host : username : test accesslevel : readonly C

117 Chapter 6 Configuring SNMPv3 using the NNCLI 117 An SNMPv3 engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it. This chapter describes how to set up your SNMP configuration using the NNCLI: Topic Page Loading the encryption module 119 Creating a new user in the USM table 120 Creating a new user group member 122 Creating v3 group access 124 Creating a new entry for the MIB in the View table 127 Creating a community 129 SNMPv3 configuration example 131 SNMPv1/SNMPv2 configuration example 132 Displaying SNMP system information 133 Blocking SNMP 135 Configuring and Managing Security using the NNCLI and CLI

118 118 Chapter 6 Configuring SNMPv3 using the NNCLI Roadmap of NNCLI SNMPv3 commands The following roadmap lists the NNCLI SNMPv3 commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command snmp-server user <UserName> [<auth protocol>] [auth <password>] [priv <password>] no snmp-server user <UserName> show snmp-server user snmp-server member <user name> <model> [<group name>] no snmp-server member <user name> <model> snmp-server group <group name> <prefix> <model> <level> no snmp-server group <group name> <prefix> <model> <level> show snmp-server group snmp-server view <View Name> <subtree oid> [mask <value>] [type <value>] snmp-server community <Comm Idx> <commstr> <security> no snmp-server community <Comm Idx> snmp-server group view newgroupgrp snmpv1 noauthnopriv read root write root show running-config Parameter C

119 Loading the encryption module Chapter 6 Configuring SNMPv3 using the NNCLI 119 Before you access the switch using SNMPv3 with DES encryption, you must load the encryption module, p83c2200.des, which allows you to use the Privacy protocol. 1 Open in your browser. 2 Log in. 3 Ensure the Browse product support tab is selected. 4 Select Passport from the list in box 1. 5 Select Ethernet Routing Switch 8300 from the list in box 2. 6 Select Software from the list in box 3. 7 Click Go. 8 Click on the Ethernet Routing Switch 8300 SNMPv3 & 3DES link. 9 Answer the questions on the questionnaire. 10 Click Submit. 11 Right-click on the file download link and enter a file location in which to copy the DES encryption module. 12 Click OK. 13 The file is downloaded. Note: Note the location of this file. You must load the file on the switch before you can use the protocol. 14 Use FTP or TFTP to load this file to the switch. Note: If FTP or TFTP fails, either the service is not enabled or a filter is blocking FTP or TFTP access. 15 Open the DOS window. Figure 25 on page 120 shows sample output from an FTP session. Configuring and Managing Security using the NNCLI and CLI

120 120 Chapter 6 Configuring SNMPv3 using the NNCLI Figure 25 FTP sample output from DOS window c:\ftp < > Connected to < > 220 Passport FTP server ready User (< >:(none)): rwa 331 Password required Password: *** 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> put <path to file on the PC> 16 Return to the Ethernet Routing Switch 8300 and load the module from Global configuration mode, by entering the following command: load-module DES /flash/p83c2200.des Creating a new user in the USM table To create a new user in the USM table on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode: snmp-server user <UserName> [<auth protocol>] [auth <password>] [priv <password>] where: UserName specifies the security name. The name is used as an index to the table. The range is 1 to 32 characters. auth protocol specifies an authentication protocol. If no value is entered, the entry has no authentication capability. The protocol choices are MD5 and SHA. auth <password> specifies an authentication password. If no value is entered, the entry has no authentication capability. The range is 1 to 32 characters. priv <password> assigns a privacy password. If no value is entered, the entry has no privacy capability. The range is 1 to 32 characters. You must set authentication before you can set the privacy option C

121 Chapter 6 Configuring SNMPv3 using the NNCLI 121 Other USM commands The following are additional snmp-server user commands: snmp-server user followed by: auth <user name> old-password <value> new-password <value> priv <user name> old-password <value> new-password <value> Changes the authentication password for an existing user. Changes privacy password for an existing user. To delete a user from the v3 VACM table, use the following command from Global configuration mode: no snmp-server user <UserName> To view information about a user, use the following command from Global configuration mode: show snmp-server user Configuration example: USM The following configuration example uses the commands described above to: Create a new USM user, testing. Set the authentication protocol to MD5. Set the authentication password to test. Display information on the user. Figure 26 on page 122 shows sample output using these commands. Configuring and Managing Security using the NNCLI and CLI

122 122 Chapter 6 Configuring SNMPv3 using the NNCLI Figure 26 USM command sample output Passport-8306:5(config)#snmp-server user testing md5 auth test Passport-8306:5(config)#show snmp-server user Engine ID = 80:00:08:E0:03:00:80:2D:B7:AC:00 ============================================================================ USM Configuration ============================================================================ User Name Protocol testing HMAC_MD5, NO PRIVACY initialview NO AUTH, NO PRIVACY 2 out of 2 Total entries displayed Passport-8306:5(config)# Creating a new user group member To create a new group member on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode: snmp-server member <user name> <model> [<group name>] The snmp-server member command includes the following options: snmp-server member followed by: user name model group name Creates the new entry with this user name. The range is 1 to 32 characters. Specifies the message processing model to use when generating an SNMP message. The valid options are usm, snmpv1, and snmpv2c. Assigns the user to the group for data access. The range is 1 to 32 characters C

123 Other member commands Chapter 6 Configuring SNMPv3 using the NNCLI 123 The following are additional snmp-server member commands: snmp-server member followed by: name <user name> <model> <group name> Change group name for the v3 VACM table. To delete a user group from the v3 VACM table, use the following command from Global configuration mode: no snmp-server member <user name> <model> To view information about a user group, use the following command from Global configuration mode: show snmp-server member Configuration example: SNMPv3 group The following configuration example uses the commands described above to: Create a new group user, john, using security model USM for group. Create a new group user, nick, using security model SNMPv2 for group. View the group member information. Delete group user nick. View the group member information. Figure 27 on page 124 shows sample output using these commands. Configuring and Managing Security using the NNCLI and CLI

124 124 Chapter 6 Configuring SNMPv3 using the NNCLI Figure 27 SNMPv3 group configuration sample output Passport-8306:5(config)# snmp-server member john usm group Passport-8306:5(config)# snmp-server member nick snmpv2c group Passport-8306:5(config)# show snmp-server member ============================================================================ VACM Group Membership Configuration ============================================================================ Sec Model User Name Group Name snmpv1 initialview v1v2grp snmpv2c nick group snmpv2c initialview v1v2grp usm john group 4 out of 4 Total entries displayed Passport-8306:5(config)# no snmp-server member nick snmpv2c Passport-8306:5(config)# show snmp-server member ============================================================================ VACM Group Membership Configuration ============================================================================ Sec Model User Name Group Name snmpv1 initialview v1v2grp snmpv2c initialview v1v2grp usm john group 3 out of 3 Total entries displayed Passport-8306:5(config)# Creating v3 group access To create new access for a group in the VACM table on the Ethernet Routing Switch 8300, use the following command from Global configuration mode: snmp-server group <group name> <prefix> <model> <level> C

125 Chapter 6 Configuring SNMPv3 using the NNCLI 125 The snmp-server group command includes the following options: snmp-server group followed by: group name Creates the new entry with this group name. The range is 1 to 32 characters. prefix Assigns a context prefix. The range is 0 to 32 characters. Note: The prefix option is not supported in the current release of the Ethernet Routing Switch 8300; however, because it is part of the index for the table, it must be configured. When you configure prefix, enter to indicate an empty string. model level Assigns the authentication checking to communicate to the switch. The valid options are usm, snmpv1, and snmpv2c. Assigns the minimum level of security required to gain the access rights allowed by this conceptual row. The valid options are authpriv, authnopriv, or noauthnopriv. Other group-access commands The following is an additional snmp-server group command: snmp-server group followed by: view <group name> <prefix> <model> <level> [read <value>] [write <value>] Assigns a MIB view for the specified group. read value indicates that you want the group to have read access to the specified value (that is, MIB view). write value indicates that you want the group to have write access to the specified value (that is, MIB view). To delete group access from the v3 VACM table, use the following command: no snmp-server group <group name> <prefix> <model> <level> Configuring and Managing Security using the NNCLI and CLI

126 126 Chapter 6 Configuring SNMPv3 using the NNCLI To see information about a the group, use the following command from Global configuration mode: show snmp-server group Configuration example: SNMPv3 group access The following configuration example uses the commands described above to: Create a new group access, secondary, using as the prefix, the security model as USM, and level as NoAuthNoPriv. Create a new group access, tertiary, using as the prefix, security model as USM, and level as NoAuthNoPriv. Delete group access for secondary. Change the group access for tertiary to read as tertiary and write as tertiary. Display the configured VACM groups. Figure 28 on page 127 shows sample output using these commands C

127 Figure 28 SNMPv3 group access configuration output Chapter 6 Configuring SNMPv3 using the NNCLI 127 Passport-8306:5(config)# snmp-server group secondary usm noauthnopriv Passport-8306:5(config)# snmp-server group tertiary usm noauthnopriv Passport-8306:5(config)# no snmp-server group secondary usm noauthnopriv Passport-8306:5(config)# snmp-server group view tertiary usm noauthnopriv read tertiary write tertiary Passport-8310:6(config)#show snmp-server group ============================================================================ VACM Group Access Configuration ============================================================================ Group Prefix Model Level ReadV WriteV initial usm authpriv org org readgrp snmpv1 noauthnopriv v1v2only readgrp snmpv2c noauthnopriv v1v2only v1v2grp snmpv1 noauthnopriv v1v2only v1v2only v1v2grp snmpv2c noauthnopriv v1v2only v1v2only tertiary usm noauthnopriv tertiary tertiary 6 out of 6 Total entries displayed Passport-8310:6(config)# Creating a new entry for the MIB in the View table To create a new entry for the MIB View table on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode: snmp-server view <View Name> <subtree oid> [mask <value>] [type <value>] Configuring and Managing Security using the NNCLI and CLI

128 128 Chapter 6 Configuring SNMPv3 using the NNCLI The snmp-server view command includes the following options: snmp-server view followed by: View Name subtree oid mask <value> (Optional) type <include exclude> (Optional) Creates a new entry with this group name. The range is 1 to 32 characters. The prefix that defines the set of MIB objects accessible by this SNMP entity. The range is 1 to 32 characters. Specifies that a bit mask be used with vacmviewtreefamilysubtree to determine whether an OID falls under a view subtree. Determines whether access to a mib object is granted or denied. Other MIB-view commands The following are additional snmp-server view commands: snmp-server view followed by: mask <View Name> <subtree oid> <new-mask> type <View Name> <subtree oid> <new-type> Changes the view mask for an entry in the MIB-view table. Changes the type for an entry in the MIB-view table. To delete an entry for the MIB view table, use the following command: no snmp-server view <View Name> <subtree oid> Configuration example: MIB view The following configuration example uses the commands described above to: Create a new MIB view, dev, using the subtree oid as and type is include C

129 Chapter 6 Configuring SNMPv3 using the NNCLI 129 Change the type to exclude. Figure 29 shows sample output using these commands. Figure 29 MIB View configuration sample output Passport-8306:5(config)# snmp-server view dev type include Passport-8306:5(config)# snmp-server view type dev exclude Passport-8306:5(config)# Creating a community Note: When you configure SNMPv3 with a community table, the group member must be configured with both the snmpv1 and the snmpv2c entries (see Creating a new user group member on page 122 for instructions). The current implementation of Device Manager uses SNMPv1 for discovering the Ethernet Routing Switch 8300 and SNMPv2c for accessing the MIB. To create a community on the Ethernet Routing Switch 8300, enter the following command from Global configuration mode: snmp-server community <Comm Idx> <commstr> <security> The snmp-server community command includes the following options: snmp-server community followed by: Comm Idx commstr security The unique index value of a row in this table. The range is 1-32 characters. The community string for which a row in this table represents a configuration. Maps the community string to the security name in the VACM Group Member Table. Configuring and Managing Security using the NNCLI and CLI

130 130 Chapter 6 Configuring SNMPv3 using the NNCLI Changing the default community strings If you re using the default public/private access through SNMPv1, SNMPv2, or SNMPv3 and want to change them, use the following commands: snmp-server community name first new_public snmp-server community name second new_private Other community commands The following are additional snmp-server community commands: snmp-server community followed by: name <Comm Idx> <new-name> security <Comm Idx> <new-security> Changes the name for an entry in the community table. Changes the security name for an entry in the community table. To delete an entry from the community table, use the following command: no snmp-server community <Comm Idx> Note: You cannot delete the default communities (first and second). Configuration example: community The following configuration example uses the commands described above to: Create a community using third as the index, using public as the name, and v1v2only as security. Change the name to private. Change the security to v1v3only. Figure 30 on page 131 shows sample output using these commands C

131 Figure 30 Community configuration sample output Chapter 6 Configuring SNMPv3 using the NNCLI 131 Passport-8306:5(config)# snmp-server community third public v1v2only Passport-8306:5(config)# snmp-server community name third private Passport-8306:5(config)# snmp-server community security third v1v3only Passport-8306:5(config)# SNMPv3 configuration example The following procedure shows how to create a user for SNMPv3, create a group for that user, assign view access for that group, and create and assign a MIB view for that group. You use the following commands from Global configuration mode. 1 Create a user (for example, rdalton). snmp-server user rdalton md5 auth password 2 Create a group and assign that to the user. snmp-server member rdalton usm newgroup 3 Assign view access for the newly created group. snmp-server group newgroup usm authnopriv 4 Create a MIB view. snmp-server view newmibview Assign a MIB view for the group. snmp-server group view newgroup usm authnopriv read-view newmibview write-view newmibview Configuring and Managing Security using the NNCLI and CLI

132 132 Chapter 6 Configuring SNMPv3 using the NNCLI SNMPv1/SNMPv2 configuration example The following procedure shows how to create a user for SNMPv1 or SNMPv2, create a group for that user, and assign view access and a MIB view for that group. You use these commands from Global configuration mode. 1 Create a user. For this example, index1 is the index of the entry, newgroup is the community string that will be used for login, and initialview is the security name that is associated with the group-member table (VCAM table). snmp-server community index1 newgroup initialview 2 Create a group and assign it to a user for SNMPv1 or SNMPv2. For this example, newgroupgrp is the group that belongs to the community newgroup. snmp-server member initialview snmpv1 newgroupgrp or snmp-server member initialview snmpv2c newgroupgrp 3 Assign view access for the newly created group. snmp-server group newgroupgrp snmpv1 noauthnopriv or snmp-server group newgroupgrp snmpv2c noauthnopriv 4 Assign a MIB view for the group. For this example, use the root MIB view; if this does not exist, use org. snmp-server group view newgroupgrp snmpv1 noauthnopriv read root write root or snmp-server group view newgroupgrp snmpv2c noauthnopriv read root write root Note: You can also create your own MIB view by using the command snmp-server view <View Name> <subtree oid> [mask <value> [type <value>] (see Creating a new entry for the MIB in the View table for instructions). After you create a MIB view, you can then assign it to a group C

133 Displaying SNMP system information Chapter 6 Configuring SNMPv3 using the NNCLI 133 To display the running configuration, including SNMP system information, on the Ethernet Routing Switch 8300, enter the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show running-config Configuration example: show SNMP system information Figure 31 on page 134 shows sample output for the show running-config command. Configuring and Managing Security using the NNCLI and CLI

134 134 Chapter 6 Configuring SNMPv3 using the NNCLI Figure 31 SNMP system information sample output Passport-8310:6(config)#show running-config Preparing to Display Configuration... # # WED MAR 17 06:36: UTC # box type : Passport-8310 # software version : REL _B106 # monitor version : /106 # # # Asic Info : # SlotNum Name CardType Parts Description # # Slot TXPOE 0x # Slot GTX 0x # Slot x # Slot x # Slot x # Slot SF 0x CPU: PP=1 FA=2 XBAR=0 CPLD=5... # # SNMP V3 GLOBAL CONFIGURATION # snmp-server host v1 public # # SNMP V3 GROUP MEMBERSHIP CONFIGURATION # snmp-server member john usm group # # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-server group "test1" "20" snmpv1 noauthnopriv snmp-server group "test1" "20" snmpv1 authpriv snmp-server group "tertiary" "" usm noauthnopriv snmp-server group "secondary" "" usm noauthnopriv # # SNMP V3 MIB VIEW CONFIGURATION # C

135 Chapter 6 Configuring SNMPv3 using the NNCLI 135 Note: To maintain security, the USM table is not displayed. This prevents viewing of the USM auth and priv passwords. When you chose save config, the usm table is saved in an encrypted file called snmp_usm.txt without the default entries. Blocking SNMP You disable SNMP access to the Ethernet Routing Switch 8300 by entering the following commands: Passport-8310:5(config)#bootconfig flags block-snmp Passport-8310:5(config)#exit Passport-8310:5#save boot Passport-8310:5#boot -y By default, SNMP access is enabled. To reenable SNMP access, enter the following command: Passport-8310:5(config)#no bootconfig flags block-snmp Configuring and Managing Security using the NNCLI and CLI

136 136 Chapter 6 Configuring SNMPv3 using the NNCLI C

137 Chapter 7 Configuring SNMPv3 using the CLI 137 An SNMPv3 engine provides services for sending and receiving messages, authenticating and encrypting messages, and controlling access to managed objects. There is a one-to-one association between an SNMP engine and the SNMP entity, which contains it. This chapter describes how to set up your SNMP configuration using the CLI, and contains the following topics: Topic Page Loading the encryption module 138 Creating a new user in the USM table 140 Creating a new user group member 142 Creating v3 group access 144 Creating a new entry for the MIB in the View table 147 Creating a community 151 SNMPv3 configuration example 155 SNMPv1/SNMPv2 configuration example 155 Displaying SNMP system information 159 Blocking SNMP 159 Configuring and Managing Security using the NNCLI and CLI

138 138 Chapter 7 Configuring SNMPv3 using the CLI Roadmap of CLI SNMPv3 commands The following roadmap lists the CLI SNMPv3 commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command config snmp-v3 usm create <User Name> [<auth protocol>] [auth <value>] [priv <value>] config snmp-v3 group-member create <user name> <model> [<group name>] config snmp-v3 group-access create <group name> <prefix> <model> <level> config snmp-v3 mib-view create <View Name> <subtree oid> [mask <value>] [type <value>] config snmp-v3 community create <Comm Idx> <name> <security> show config module sys Parameter Loading the encryption module Before you access the switch using SNMPv3 with DES encryption, you must load the encryption module, p83c2200.des, which allows you to use the Privacy protocol. 1 Open in your browser. 2 Log in. 3 Ensure the Browse product support tab is selected. 4 Select Passport from the list in box 1. 5 Select Ethernet Routing Switch 8300 from the list in box 2. 6 Select Software from the list in box 3. 7 Click Go C

139 Chapter 7 Configuring SNMPv3 using the CLI Click on the Ethernet Routing Switch 8300 SNMPv3 & 3DES link. 9 Answer the questions on the questionnaire. 10 Click Submit. 11 Right-click on the file download link and enter a file location in which to copy the DES encryption module. 12 Click OK. 13 The file is downloaded. Note: Note the location of this file. You must load the file on the switch before you can use the protocol. 14 Use FTP or TFTP to load this file to the switch. Note: If FTP or TFTP fails, either the service is not enabled or a filter is blocking FTP or TFTP access. 15 Open the DOS window. Figure 32 shows sample output from an FTP session. Figure 32 FTP sample output from DOS window c:\ftp < > Connected to < > 220 Passport FTP server ready User (< >:(none)): rwa 331 Password required Password: *** 230 User logged in ftp> bin 200 Type set to I, binary mode ftp> put <path to file on the PC> 16 Return to the Ethernet Routing Switch 8300 and load the module. config load-module DES /flash/p83c2200.des Configuring and Managing Security using the NNCLI and CLI

140 140 Chapter 7 Configuring SNMPv3 using the CLI Creating a new user in the USM table To create a new user in the USM table on the Ethernet Routing Switch 8300, enter the following command: config snmp-v3 usm create <User Name> [<auth protocol>] [auth <value>] [priv <value>] where: User Name specifies the security name. The name is used as an index to the table. The range is 1 to 32 characters. auth protocol specifies an authentication protocol. If no value is entered, the entry has no authentication capability. The protocol choices are MD5 and SHA. auth value specifies an authentication password. If no value is entered, the entry has no authentication capability. The range is 1 to 32 characters. priv value assigns a privacy password. If no value is entered, the entry has no privacy capability. The range is 1 to 32 characters. You must set authentication before you can set the privacy option. Other USM commands The following are additional config snmp-v3 usm commands: config snmp-v3 usm followed by: info delete <User Name> auth <User Name> old-pass <value> new-pass <value> priv <User Name> old-pass <value> new-pass <value> Displays the configured USM users. Deletes a user for the USM table. Changes the authentication password. Changes privacy password C

141 Chapter 7 Configuring SNMPv3 using the CLI 141 Configuration example: USM The following configuration example uses the commands described above to: Create a new USM user, testing. Set the authentication protocol to MD5. Set the authentication password to test. Display information on the user. Figure 33 shows sample output using these commands. Figure 33 USM command sample output Passport-8310:5# config snmp-v3 usm create testing md5 auth test WARNING : For security purpose, we are strongly recommanded that NOT to use repeated pattern for your password. Passport-8310:5# config snmp-v3 usm info Engine ID = 80:00:08:E0:03:00:0E:40:BF:50:00 ================================================================================ USM Configuration ================================================================================ User Name Protocol user1 HMAC_MD5, DES PRIVACY user2 HMAC_MD5, NO PRIVACY testing HMAC_MD5, NO PRIVACY 3 out of 3 Total entries displayed Passport-8310:5# Configuring and Managing Security using the NNCLI and CLI

142 142 Chapter 7 Configuring SNMPv3 using the CLI Creating a new user group member To create a new user group for the v3 VACM table on the Ethernet Routing Switch 8300, enter the following command: config snmp-v3 group-member create <user name> <model> [<group name>] The config snmp-v3 group-member create command includes the following options: config snmp-v3 group-member create followed by: user name model group name Creates the new entry with this user name. The range is 1 to 32 characters. Specifies the message processing model to use when generating an SNMP message. The valid options are snmpv1, snmpv2c, and usm. Assigns the user to the group for data access. The range is 1 to 32 characters. This is an optional parameter. Other group-member commands The following are additional config snmp-v3 group-member commands: config snmp-v3 group-member followed by: info delete <user name> <model> name <user name> <model> <group name> Displays the VACM group membership configuration Deletes a user group for the v3 VACM table Change group name for the v3 VACM table Configuration example: SNMPv3 group The following configuration example uses the commands described above to: C

143 Chapter 7 Configuring SNMPv3 using the CLI 143 Create a new group user, john, using security model USM for group. Create a new group user, nick, using security model SNMPv2 for group. View the group member information. Delete group user nick. View the group member information. Figure 34 shows sample output using these commands. Figure 34 SNMPv3 group configuration sample output Passport-8310:5# config snmp-v3 group-member create john usm group Passport-8310:5# config snmp-v3 group-member create nick snmpv2c group Passport-8310:5# config snmp-v3 group-member info ============================================================================ VACM Group Membership Configuration ============================================================================ Sec Model User Name Group Name snmpv1 initialview v1v2grp snmpv2c nick group snmpv2c initialview v1v2grp usm john group 4 out of 4 Total entries displayed Passport-8310:5# config snmp-v3 group-member delete nick snmpv2c Passport-8310:5# config snmp-v3 group-member info ============================================================================ VACM Group Membership Configuration ============================================================================ Sec Model User Name Group Name snmpv1 initialview v1v2grp snmpv2c initialview v1v2grp usm john group 3 out of 3 Total entries displayed Passport-8310:5# Configuring and Managing Security using the NNCLI and CLI

144 144 Chapter 7 Configuring SNMPv3 using the CLI Creating v3 group access To create new access for a group in the VACM table on the Ethernet Routing Switch 8300, use the following command: config snmp-v3 group-access create <group name> <prefix> <model> <level> The config snmp-v3 group-access create command includes the following options: config snmp-v3 group-access create followed by: group name Creates the new entry with this group name. The range is 1 to 32 characters. prefix Assigns a context prefix. The range is 0 to 32 characters. Note: The prefix option is not supported in the current release of the Ethernet Routing Switch 8300; however, because it is part of the index for the table, it must be configured. When you configure prefix, enter to indicate an empty string. model level Assigns the authentication checking to communicate to the switch. The valid options are usm, snmpv1, and snmpv2c. Assigns the minimum level of security required to gain the access rights allowed by this conceptual row. The valid options are authpriv, authnopriv, or noauthnopriv C

145 Other group-access commands Chapter 7 Configuring SNMPv3 using the CLI 145 The following are additional config snmp-v3 group-access commands: config snmp-v3 group-access followed by: info delete <group name> <prefix> <model> <level> view <group name> <prefix> <model> <level> [read <value>] [write <value>] Displays VACM group access information, including group names and access levels. Removes group access for the v3 VACM table. Assigns a MIB view for the specified group. read value indicates that you want the group to have read access to the specified value (that is, MIB view). write value indicates that you want the group to have write access to the specified value (that is, MIB view). Configuration example: SNMPv3 group access The following configuration example uses the commands described above to: Create a new group access, secondary, using as the prefix, the security model as USM, and level as NoAuthNoPriv. Create a new group access, tertiary, using as the prefix, security model as USM, level as NoAuthNoPriv. View the group access information. Delete group access for secondary. Assign the MIB view, org, to the group, tertiary. View the group access information. Figure 35 on page 146 shows sample output using these commands. Configuring and Managing Security using the NNCLI and CLI

146 146 Chapter 7 Configuring SNMPv3 using the CLI Figure 35 SNMPv3 group access configuration sample output Passport-8310:5# config snmp-v3 group-access create secondary "" usm noauthnopriv Passport-8310:5# config snmp-v3 group-access create tertiary "" usm noauthnopriv Passport-8310:5# config snmp-v3 group-access info ============================================================================ VACM Group Access Configuration ============================================================================ Group Prefix Model Level ReadV WriteV group_1 usm authnopriv org private group_1 usm authpriv org org initial usm authpriv org org readgrp snmpv1 noauthnopriv v1v2only readgrp snmpv2c noauthnopriv v1v2only v1v2grp snmpv1 noauthnopriv v1v2only v1v2only v1v2grp snmpv2c noauthnopriv v1v2only v1v2only tertiary usm noauthnopriv secondary usm noauthnopriv 9 out of 9 Total entries displayed Passport-8310:5# config snmp-v3 group-access delete secondary "" usm noauthnopriv Passport-8310:5# config snmp-v3 group-access view tertiary "" usm noauthnopriv read org write org Passport-8310:5# config snmp-v3 group-access info ============================================================================ VACM Group Access Configuration ============================================================================ Group Prefix Model Level ReadV WriteV group_1 usm authnopriv org private group_1 usm authpriv org org initial usm authpriv org org readgrp snmpv1 noauthnopriv v1v2only readgrp snmpv2c noauthnopriv v1v2only v1v2grp snmpv1 noauthnopriv v1v2only v1v2only v1v2grp snmpv2c noauthnopriv v1v2only v1v2only tertiary usm noauthnopriv org org 8 out of 8 Total entries displayed C

147 Chapter 7 Configuring SNMPv3 using the CLI 147 Creating a new entry for the MIB in the View table To create a new entry for the MIB View table on the Ethernet Routing Switch 8300, enter the following command: config snmp-v3 mib-view create <View Name> <subtree oid> [mask <value>] [type <value>] The config snmp-v3 mib-view create command includes the following options: config snmp-v3 mib-view create followed by: View Name subtree oid mask <value> (Optional) type <include exclude> (Optional) Creates a new entry with this group name. The range is 1 to 32 characters. The prefix that defines the set of MIB objects accessible by this SNMP entity. The range is 1 to 32 characters. Specifies that a bit mask be used with vacmviewtreefamilysubtree to determine whether an OID falls under a view subtree. Determines whether access to a mib object is granted or denied. Other MIB-view commands The following are additional config snmp-v3 mib-view commands: config snmp-v3 mib-view followed by: info delete <View Name> <subtree oid> Displays MIB view information, including view names and subtree object IDs. Deletes an entry an entry for the MIB-view table. Configuring and Managing Security using the NNCLI and CLI

148 148 Chapter 7 Configuring SNMPv3 using the CLI config snmp-v3 mib-view followed by: mask <View Name> <subtree oid> <new-mask> type <View Name> <subtree oid> <new-type> Changes the view mask for an entry in the MIB-view table. Changes the type for an entry in the MIB-view table. Configuration example: MIB view The following configuration example uses the commands described above to: Create a new MIB view, dev, using a subtree oid of , a mask of ffff, and type of include. View the MIB view information. Change the type to exclude. View the MIB view information. Figure 36 on page 149 and Figure 37 on page 150 shows sample output using these commands C

149 Figure 36 MIB view commands sample output Chapter 7 Configuring SNMPv3 using the CLI 149 Passport-8310:5# config snmp-v3 mib-view create dev mask ffff type include Passport-8310:5# config snmp-v3 mib-view info ============================================================================ MIB View ============================================================================ View Name Subtree Mask Type dev xffff include org 1 include root 1 include snmp include snmp include layer1 1.3 exclude layer include layer include 8 out of 8 Total entries displayed Passport-8310:5# config snmp-v3 mib-view type dev exclude Passport-8310:5# config snmp-v3 mib-view info ============================================================================ MIB View ============================================================================ View Name Subtree Mask Type dev xffff exclude org 1 include root 1 include snmp include snmp include layer1 1.3 exclude layer include layer include 8 out of 8 Total entries displayed Passport-8310:5# Configuring and Managing Security using the NNCLI and CLI

150 150 Chapter 7 Configuring SNMPv3 using the CLI Figure 37 MIB view commands sample output Passport-8310:5# config snmp-v3 mib-view create dev type include Passport-8310:5# config snmp-v3 mib-view info ============================================================================ MIB View ============================================================================ View Name Subtree Mask Type dev include org 1.3 include root 1 include snmp include snmp include v1v2only 1 include v1v2only exclude v1v2only exclude 8 out of 8 Total entries displayed Passport-8310:5# config snmp-v3 mib-view type dev exclude Passport-8310:5# config snmp-v3 mib-view info ============================================================================ MIB View ============================================================================ View Name Subtree Mask Type dev exclude org 1.3 include root 1 include snmp include snmp include v1v2only 1 include v1v2only 1.3 include v1v2only exclude 8 out of 8 Total entries displayed Passport-8310:5# C

151 Chapter 7 Configuring SNMPv3 using the CLI 151 Creating a community Note: When you configure SNMPv3 with a community table, the group member must be configured with both the snmpv1 and the snmpv2c entries (see Creating a new user group member on page 142 for instructions). The current implementation of Device Manager uses SNMPv1 for discovering the Ethernet Routing Switch 8300 and SNMPv2c for accessing the MIB. To create a community on the Ethernet Routing Switch 8300, enter the following command: config snmp-v3 community create <Comm Idx> <name> <security> The config snmp-v3 community create command includes the following options: config snmp-v3 community create followed by: Comm Idx name security The unique index value of a row in this table. The range is 1-32 characters. The community string for which a row in this table represents a configuration. name can be up to 32 characters. Maps community string to the security name in the VACM Group Member Table. security can be up to 32 characters. Changing the default community strings If you re using the default public/private access through SNMPv1, SNMPv2, or SNMPv3 and want to change them, use the following commands: config snmp-v3 community name first new_public config snmp-v3 community name second new_private Configuring and Managing Security using the NNCLI and CLI

152 152 Chapter 7 Configuring SNMPv3 using the CLI To view the Community Table, use the following command: config snmp-v3 community info Figure 38 shows the output from this command. Figure 38 config snmp-v3 community info output Passport-8310:5# config snmp-v3 community info ================================================================================ Community Table ================================================================================ INDEX NAME SECURITYNAME first ******** readview second ******** initialview 2 out of 2 Total entries displayed Passport-8310:5# Other community commands The following are additional config snmp-v3 community commands: config snmp-v3 community followed by: info Displays the community table, including the index, name, and security name. delete <Comm Idx> name <Comm Idx> new-name <value> security <Comm Idx> new-security <value> Deletes an entry from the community table. Note: You cannot delete the default communities (first and second). Changes the name for an entry in the community table. Changes the security name for an entry in the community table C

153 Chapter 7 Configuring SNMPv3 using the CLI 153 Configuration example: community The following configuration example uses the commands described above to: Create a community using third as the index, using public as the name, and v1v2only as security. View the community information. Change the name to private. View the community information. Change the security to v1v3only. View the community information. Figure 39 on page 154 shows sample output using these commands. Configuring and Managing Security using the NNCLI and CLI

154 154 Chapter 7 Configuring SNMPv3 using the CLI Figure 39 Community commands sample output Passport-8310:5# config snmp-v3 community create third public v1v2only Passport-8310:5# config snmp-v3 community info ============================================================================ Community Table ============================================================================ INDEX NAME SECURITYNAME first ******** readview second ******** initialview third ******** v1v2only 3 out of 3 Total entries displayed Passport-8310:5# config snmp-v3 community name third new-name private Passport-8310:5# config snmp-v3 community info ============================================================================ Community Table ============================================================================ INDEX NAME SECURITYNAME first ******** readview second ******** initialview third ******** v1v2only 3 out of 3 Total entries displayed Passport-8310:5# config snmp-v3 community security third new-security v1v3only Passport-8310:5# config snmp-v3 community info ============================================================================ Community Table ============================================================================ INDEX NAME SECURITYNAME first ******** readview second ******** initialview third ******** v1v3only 3 out of 3 Total entries displayed C

155 SNMPv3 configuration example Chapter 7 Configuring SNMPv3 using the CLI 155 The following procedure shows how to create a user for SNMPv3, create a group for that user, assign view access for that group, and create and assign a MIB view for that group. 1 Create a user (for example, rdalton). config snmp-v3 usm create rdalton md5 auth password 2 Create a group and assign it to the user. config snmp-v3 group-member create rdalton usm newgroup 3 Assign view access for the newly created group. config snmp-v3 group-access create newgroup usm authnopriv 4 Create a MIB view. config snmp-v3 mib-view create newmibview Assign a MIB view for the group. config snmp-v3 group-access view newgroup usm authnopriv read newmibview write newmibview SNMPv1/SNMPv2 configuration example The following procedure shows how to create a user for SNMPv1 or SNMPv2, create a group for that user, and assign view access and a MIB view for that group. 1 Create a user. For this example, index1 is the index of the entry, newgroup is the community string that will be used for login, and initialview is the security name that is associated with the group-member table (VCAM table). config snmp-v3 community create index1 newgroup initialview 2 Create a group and assign it to a user for SNMPv1 or SNMPv2. For this example, newgroupgrp is the group that belongs to the community newgroup. Configuring and Managing Security using the NNCLI and CLI

156 156 Chapter 7 Configuring SNMPv3 using the CLI config snmp-v3 group-member create initialview snmpv1 newgroupgrp or config snmp-v3 group-member create initialview snmpv2c newgroupgrp 3 Assign view access for the newly created group. config snmp-v3 group-access create newgroupgrp snmpv1 noauthnopriv or config snmp-v3 group-access create newgroupgrp snmpv2c noauthnopriv 4 Assign a MIB view for the group. For this example, use the root MIB view; if this does not exist, use org. config snmp-v3 group-access view newgroupgrp snmpv1 noauthnopriv read root write root or config snmp-v3 group-access view newgroupgrp snmpv2c noauthnopriv read root write root Note: You can also create your own MIB view by using the command config snmp-v3 mib-view create <View Name> <subtree oid> [mask <value>] [<type <value>] (see Creating a new entry for the MIB in the View table on page 147 for instructions). After you create a MIB view, you can then assign it to a group C

157 Displaying SNMP system information Chapter 7 Configuring SNMPv3 using the CLI 157 To display configuration information, including SNMP system information, on the Ethernet Routing Switch 8300, enter the following command: show config module sys Configuration example: show SNMP system information Figure 40 on page 158 shows sample output for the show config module sys command. Configuring and Managing Security using the NNCLI and CLI

158 158 Chapter 7 Configuring SNMPv3 using the CLI Figure 40 show config module sys sample output Passport-8310:5# show config module sys Preparing to Display Configuration... # # WED MAR 17 08:33: UTC # box type : Passport-8310 # software version : REL _B108 # monitor version : /108 # # # Asic Info : # SlotNum Name CardType Parts Description # # Slot x # Slot x # Slot x # Slot x # Slot SF 0x CPU: PP=1 FA=2 XBAR=0 CPLD=5... # SNMP V3 GROUP MEMBERSHIP CONFIGURATION # snmp-v3 group-member create user1 usm group_1 snmp-v3 group-member create user2 usm group_1 # # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-v3 group-access create group_1 "" usm authnopriv snmp-v3 group-access view group_1 "" usm authnopriv read "org" write "private" snmp-v3 group-access create group_1 "" usm authpriv snmp-v3 group-access view group_1 "" usm authpriv read "org" write "org" snmp-v3 group-access create tertiary "" usm noauthnopriv snmp-v3 group-access view tertiary "" usm noauthnopriv read "tertiary" write "tertiary" # # SNMP V3 MIB VIEW CONFIGURATION # snmp-v3 mib-view create private type exclude C

159 Chapter 7 Configuring SNMPv3 using the CLI 159 Note: To maintain security, the USM table is not displayed. This prevents viewing of the USM auth and priv passwords. When you chose save config, the usm table is saved in an encrypted file called snmp_usm.txt without the default entries. Blocking SNMP You disable SNMP access to the Ethernet Routing Switch 8300 by entering the following commands: Passport-8310:5#config bootconfig flags block-snmp true Passport-8310:5#save boot Passport-8310:5#boot -y By default, SNMP access is enabled. To reenable SNMP access, enter the following command: Passport-8310:5#config bootconfig flags block-snmp false Configuring and Managing Security using the NNCLI and CLI

160 160 Chapter 7 Configuring SNMPv3 using the CLI C

161 Chapter 8 Configuring SSH using the NNCLI 161 This chapter describes how to configure SSH using the NNCLI. The Ethernet Routing Switch 8300 acts as a server (the client mode is not currently supported), and secures the communication between a client (PC, Unix) and the switch. The implementation of the SSH server in the Ethernet Routing Switch 8300 enables the SSH client to make a secure connection to an Ethernet Routing Switch 8300 and works with commercially-available SSH clients. Note: Due to export restrictions, the encryption capability is separated from the main image. This requires the p83c2200.img file to be loaded separately. NNCLI commands for SSH This section lists the NNCLI commands used to enable SSH and configure SSH parameters. Specifically, this chapter includes the following topics: Topic Page Enabling the SSH server 162 Configuring SSH 162 Defining the action 162 Enabling/disabling DSA authentication 163 Enabling/disabling the SSH daemon 163 Configuring and Managing Security using the NNCLI and CLI

162 162 Chapter 8 Configuring SSH using the NNCLI Topic Page Setting the maximum number of SSH sessions 163 Enabling password authentication 163 Setting the SSH connection port 163 Enabling RSA authentication 164 Setting the SSH authentication timeout 164 Setting the SSH version 164 Creating the user-defined access policy to enable 164 service connections Loading the encryption module in the switch 165 Viewing configured SSH parameters 165 Enabling the SSH server To enable the SSH server, use the following command from Global configuration mode and higher: bootconfig flags sshd no bootconfig flags sshd Configuring SSH Use the following commands to configure SSH parameters. The NNCLI commands must be executed from Global configuration mode or higher. Defining the action The command is broken into individual commands in NNCLI mode. The no ssh dsa-host-key command is equivalent to the dsa-keydel CLI option. Similarly, the no ssh rsa-host-key corresponds to rsakeydel. ssh dsa-host-key [integer] no ssh dsa-host-key ssh rsa-host-key [integer] no ssh rsa-host-key C

163 Chapter 8 Configuring SSH using the NNCLI 163 where <integer> is the SSH host key size. The value is in the range The default value is Enabling/disabling DSA authentication ssh dsa-auth no ssh dsa-auth The default value is true/enabled. Enabling/disabling the SSH daemon ssh secure ssh no ssh By default, the daemon is disabled. Setting the maximum number of SSH sessions ssh max-session [integer] where <integer> is a value in the range 0 8. The default value is 4. Enabling password authentication ssh pass-auth no ssh pass-auth By default, password authentication is enabled. Setting the SSH connection port ssh port <integer> Configuring and Managing Security using the NNCLI and CLI

164 164 Chapter 8 Configuring SSH using the NNCLI where <integer> is the port number. The port number value is in the range The default value is 22. Note: SSH session is not established for reserved ports. If you attempt to configure a reserved port (for example, port 23 (Telnet)) as an SSH connection port, the SSH session will not be established. Furthermore, you cannot later change the port number or any other parameters, even if you disable SSH. The default SSH connection port is 22. To configure additional SSH connection ports, use port numbers greater than 1024 (up to 65535). Enabling RSA authentication ssh rsa-auth no ssh rsa-key By default, RSA authentication is enabled. Setting the SSH authentication timeout ssh timeout <integer> where <integer> is a value in seconds in the range The default value is 60 seconds. Setting the SSH version ssh version {v2only both} The default value is v2only. Creating the user-defined access policy to enable service connections The user-defined policy must be created before enabling/disabling any service. access-policy policy <id> ssh no access-policy policy <id> ssh C

165 Chapter 8 Configuring SSH using the NNCLI 165 Loading the encryption module in the switch load-module 3DES WORD <1-1536> Viewing configured SSH parameters The SSH parameters can be verified using the following commands. The commands can be executed from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes. show ssh global show ssh session Configuring and Managing Security using the NNCLI and CLI

166 166 Chapter 8 Configuring SSH using the NNCLI C

167 Chapter 9 Configuring SSH using the CLI 167 This chapter describes how to configure SSH using the CLI. The Ethernet Routing Switch 8300 switch acts as a server (the client mode is not currently supported), and secures the communication between a client (PC, Unix) and the switch. The implementation of the SSH server in the Ethernet Routing Switch 8300 enables the SSH client to make a secure connection to an Ethernet Routing Switch 8300 and works with commercially-available SSH clients. Note: Due to export restrictions, the encryption capability is separated from the main image. This requires the p83c2200.img file to be loaded separately. CLI commands for SSH This section lists the CLI commands used to enable SSH and configure SSH parameters. Specifically, this chapter includes the following topics: Topic Page Enabling the SSH server 168 Configuring SSH 168 Defining the action 168 Enabling/disabling DSA authentication 168 Enabling/disabling the SSH daemon 169 Configuring and Managing Security using the NNCLI and CLI

168 168 Chapter 9 Configuring SSH using the CLI Topic Page Setting the maximum number of SSH sessions 169 Enabling password authentication 169 Setting the SSH connection port 169 Enabling RSA authentication 170 Setting the SSH authentication timeout 170 Setting the SSH version 170 Creating the user-defined access policy to enable service connections 170 Loading the encryption module in the switch 170 Viewing configured SSH parameters 170 Enabling the SSH server Use the following command to enable the SSH server: config bootconfig flags sshd <true false> Configuring SSH Use the following commands to configure SSH parameters. Defining the action config sys set ssh action <action> [<integer>] where: <action> has the following options: rsa-keygen, rsa-keydel, dsa-keygen, dsa-keydel <integer> is the SSH host key size. The value is in the range The default value is Enabling/disabling DSA authentication config sys set ssh dsa-auth <true false> C

169 Chapter 9 Configuring SSH using the CLI 169 Enabling/disabling the SSH daemon config sys set ssh enable <true false secure> where: true enables SSH false disables SSH secure disables SSH and enables non-secure services Setting the maximum number of SSH sessions config sys set ssh max-sessions <integer> where <integer> is a value in the range 0 8. The default value is 4. Enabling password authentication config sys set ssh pass-auth <true false> By default, password authentication is enabled. Setting the SSH connection port config sys set ssh port <integer> where <integer> is the port number. The port number value is in the range The default value is 22. Note: SSH session is not established for reserved ports. If you attempt to configure a reserved port (for example, port 23 (Telnet)) as an SSH connection port, the SSH session will not be established. Furthermore, you cannot later change the port number or any other parameters, even if you disable SSH. The default SSH connection port is 22. To configure additional SSH connection ports, use port numbers greater than 1024 (up to 65535). Configuring and Managing Security using the NNCLI and CLI

170 170 Chapter 9 Configuring SSH using the CLI Enabling RSA authentication config sys set ssh rsa-auth <true false> By default, RSA authentication is enabled. Setting the SSH authentication timeout config sys set ssh timeout <integer> where <integer> is a value in seconds in the range The default value is 60 seconds. Setting the SSH version config sys set ssh version <both v2only> The default value is v2only. Creating the user-defined access policy to enable service connections The user-defined policy must be created before enabling/disabling any service. config sys access-policy policy <id> service ssh enable Loading the encryption module in the switch config load-module <3DES DES> <src-file> Viewing configured SSH parameters The SSH parameters can be verified using the following commands. show ssh global show ssh session C

171 Chapter 10 Setting up RADIUS servers 171 Nortel recommends that you configure at least two RADIUS servers in the network to provide redundancy. You can configure a maximum of 10 RADIUS servers in a single network. The Ethernet Routing Switch 8300 software supports BaySecure Access Control (BSAC*), Merit Network, and freeradius servers. For instructions on installing the BSAC, Merit Network, or freeradius server software on the server that you will use, see the installation manual that came with your software. Note: The BSAC server is now known as the Steel-Belted Radius server (SBR). The SBR Version 4.0 and higher includes a module that supports EAP. The procedures in this chapter for preparing a BSAC server to support RADIUS authentication are valid for the SBR. After the software is installed, you must make changes to one or more files for these servers. For information about the changes that must be made for the BSAC server, see Updating files for the BSAC RADIUS server. For information about the changes that must be made for the Merit Network server, see Updating the dictionary file for a Merit Network server. For information about changes that must be made for the freeradius server, see Updating files for the freeradius server. For detailed instructions on configuring a RADIUS server, including adding clients and adding users and access priorities, refer to the documentation that came with the server software. Configuring and Managing Security using the NNCLI and CLI

172 172 Chapter 10 Setting up RADIUS servers This chapter describes how to update four files for the BSAC RADIUS server, one file for the Merit Network server, and three files for the freeradius server. It also describes the vendor-specific attribute format for CLI commands if you re using a third-party RADIUS server and need to modify the dictionary files. Specifically, this chapter includes the following topics: Topic Page Updating files for the BSAC RADIUS server 172 Using a third-party RADIUS server 174 Updating the dictionary file for a Merit Network server 175 Updating files for the freeradius server 175 Changing user access 178 Enabling EAP authentication 183 Updating files for the BSAC RADIUS server After you have installed the BSAC server software on either a UNIX or Windows NT server, you must update four files for BSAC to successfully authenticate a user: The main dictionary (radius.dct). This file must be edited to contain an entry of parameters from the newly created Ethernet Routing Switch dictionary. A private dictionary (pprt8300.dct). This file, which is specific to the Ethernet Routing Switch 8300, must be generated. It will be sourced and used by dictiona.dcm and vendor.ini. The vendor.ini file. This file must contain an entry for the Ethernet Routing Switch 8300 in order for the file to acknowledge the model/type during the client configuration. The account.ini file. This file must contain the CLI-Command= entry. Specifically, you must make the following configuration changes for the BSAC server: 1 Add the following lines in files radius.dct and pprt8300.dct: C

173 Chapter 10 Setting up RADIUS servers 173 ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer]r VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 26 [vid=1584 type1=193 len1=+2 data=string] Note: The value in the type1 field must match the vendor-specific authentication attribute value. 2 Add the following lines in vendor.ini: vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0 3 Add the following entry to the account.ini file: Cli-Command= 4 In the account.ini file, make sure that the following lines are present: User-Name= Acct-Input-Octets= Acct-Output-Octets= Acct-Session-Id= Acct-Session-Time= Acct-Input-Packets= Acct-Output-Packets= Configuring and Managing Security using the NNCLI and CLI

174 174 Chapter 10 Setting up RADIUS servers 5 Restart the server to activate the changes. Using a third-party RADIUS server If you re using a third-party RADIUS server and need to modify the dictionary files, you must use the following vendor-specific attribute format for CLI commands: x type len Vendor-Id value (string) v x type len value (cli-command) C

175 Chapter 10 Setting up RADIUS servers 175 Updating the dictionary file for a Merit Network server You must add the following lines in the dictionary file for the Merit Network server: VENDOR Nortel 1584 ATTRIBUTE Access-Priority 192 integer Nortel VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 192 string Nortel You must restart the server to activate the changes. Updating files for the freeradius server After you have installed the freeradius server software on either a UNIX or Windows NT server, you must update three files for freeradius to successfully authenticate a user: A private dictionary (dictionary.nortel). clients.conf users Configuring and Managing Security using the NNCLI and CLI

176 176 Chapter 10 Setting up RADIUS servers Specifically, you must make the following configuration changes for the freeradius server: 1 Add the following lines in the dictionary file: VENDOR Nortel 1584 BEGIN-VENDOR Nortel ATTRIBUTE Access-Priority 192 integer VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 #CLI profile ATTRIBUTE #CLI Commands ATTRIBUTE #CLI Commands ATTRIBUTE Command-Access 194 integer Cli-Commands 193 string Commands 195 string VALUE Command-Access FALSE 0 VALUE Command-Access True 1 #802 priority (value: 0-7) ATTRIBUTE Dot1x-Port-Priority 1 integer 2 Add the following lines in clients.conf. You must enter these lines for the freeradius server to work. The secret is not encrypted, so be careful when giving permissions to the directories C

177 Chapter 10 Setting up RADIUS servers 177 client /32 { secret = test shortname = R5 nastype = other } 3 Add the following lines in users. # EAPoL users, using Microsoft Windows Domain convention DOMAIN2\\user_n Auth-Type := EAP, User-Password == "password" Reply-Message = "You're authenticated, %u!!", DOMAIN2\\eap_user Auth-Type := EAP, User-Password == "eap_password" Reply-Message = "You're authenticated, %u!!", # Console/Telnet access via regular RADIUS # the following will prohibit user "administrator" from issuing commands "config ip" tree administrator Auth-Type := Local, User-Password == "dimension" Access-Priority = "Read-Write-All-Access", Command-Access = "FALSE", Commands = "config ip" You must restart the server to activate the changes. Configuring and Managing Security using the NNCLI and CLI

178 178 Chapter 10 Setting up RADIUS servers Changing user access As a network administrator, you can override a user s access to specific CLI commands by configuring the RADIUS server for user authentication. You must still give access based on the existing six access levels in the Ethernet Routing Switch 8300, but you can customize user access by permitting and preventing access to specific CLI commands. Subscriber and administrative interaction You must configure the following three returnable attributes for each user: Access priority (single instance) - the access levels currently available on Ethernet Routing Switch 8300: ro, l1, l2, l3, rw, rwa. Command access (single instance) - indicates whether the NNCLI or CLI commands configured on the RADIUS server are allowed or disallowed for the user. NNCLI or CLI commands (multiple instances) - the list of commands that the user can/cannot use. The user cannot include allow and deny commands in the list of multiple commands; the commands must be either all allow or all deny. Configuring the BSAC or Merit Network server To change the configuration of a BSAC or Merit Network server: 1 Create a new file (for example, pprtl2l3.dct) and update the information as shown in Figure 41 on page C

179 Figure 41 Updating information for the BSAC or Merit Network server Chapter 10 Setting up RADIUS servers 179 ############################################################################## # passaprt.dct - RADLINX PASSaPORT dictionary # # (See README.DCT for more details on the format of this file) ############################################################################## # # Use the Radius specification attributes in lieu of the RADLINX PASSaPORT ones # # Define additional RADLINX PASSaPORT parameters # (add RADLINX PASSaPORT specific attributes below) ATTRIBUTE Radlinx-Vendor-Specific 26 [vid=648 data=string] R ############################################################################## # pprtl2l3.dct - RADLINX PASSaPORT dictionary ############################################################################## #Define Nortel Passport 1000 & 8000 Layer 2 & Layer 3 dictionary ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer] r VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 VALUE Access-Priority CommReadOnly 1 VALUE Access-Priority CommReadWriteLayer1 2 VALUE Access-Priority CommReadWriteLayer2 4 VALUE Access-Priority CommReadWriteLayer3 8 VALUE Access-Priority CommReadWrite 16 VALUE Access-Priority CommReadWriteAll 32 ATTRIBUTE Acct-Status-Type 26 [vid=1584 type1=193 len1=+2 data=integer] r VALUE Acct-Status-Type Start 1 VALUE Acct-Status-Type Stop 2 VALUE Acct-Status-Type Interim-Update 3 VALUE Acct-Status-Type Accounting-On 7 VALUE Acct-Status-Type Accounting-Off 8 ATTRIBUTE Command-Access 26 [vid=1584 type1=194 len1=+2 data=integer] r VALUE Command-Access TRUE 1 VALUE Command-Access FALSE 0 ATTRIBUTE Cli-Commands 26 [vid=1584 type1=195 len1=+2 data=string]r ################################################################################ Configuring and Managing Security using the NNCLI and CLI

180 180 Chapter 10 Setting up RADIUS servers The default values are 192,194,195. If you change these values on the Ethernet Routing Switch 8300, you must change them in the file. Assign one of the following access levels to a user: VENDOR Nortel 1584 ATTRIBUTE Access-Priority 192 integer Nortel VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 192 string Nortel The following are the values that are valid for the Command-Access Attribute: VALUE Command-Access TRUE 1 VALUE Command-Access FALSE 0 2 In the file dictiona.dcm, reference the new file 3 Update the file vendor.ini as follows: vendor-product = Nortel Passport 8300 Switches dictionary = pprtl2l3 ignore-ports = no help-id = C

181 Configuring the freeradius server To change the configuration of a freeradius server: Chapter 10 Setting up RADIUS servers Create a new file dictionary.passport and include it in the dictionary file. 2 Add the following to the dictionary.passport file: VENDOR Passport 1584 ATTRIBUTE Access-Priority-Attribute 192 integer Passport ATTRIBUTE Cli-Commands-Attribute 195 string Passport ATTRIBUTE Command-Access 194 integer Passport 192,193 are the default values. If you change these values on the Ethernet Routing Switch 8300, you must change them in the file. Assign one of the following access levels to a user: VENDOR Nortel 1584 ATTRIBUTE Access-Priority 192 integer Nortel VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 192 string Nortel The following values are valid for the Command-Access Attribute. VALUE Command-Access FALSE 0 VALUE Command-Access TRUE 1 3 Modify the file clients.conf to provide access to the Ethernet Routing Switch 8300 and to provide the secret value: x.x.x.x mysecret Configuring and Managing Security using the NNCLI and CLI

182 182 Chapter 10 Setting up RADIUS servers where x.x.x.x is the Ethernet Routing Switch 8300 IP address. mysecret is the secret configured while creating a RADIUS server. Note: The secret value configured on the RADIUS server must be the same as the one configured in the Ethernet Routing Switch The file users must have the following access: rwa Auth-Type:= Local, Password == rwa Access-Priority = RWA-Access, The user and password must be rwa and Access-Priority must be in the dictionary.passport file. Example 1 User- john Access-Priority L2-Access Command-Access - True Cli-Commands - Config ip forwarding Though John has only L2 access, he can use the command config ip forwarding, which normally requires L3 access. Example 2 User- Mike Access-Priority - RWA-Access Command-Access False Cli-Commands reset Although Mike has rwa access, he is prevented from using the reset command to reboot the switch C

183 Chapter 10 Setting up RADIUS servers If a user enters the help command, the system displays help for only those commands to which the user has access. Note: If you prevent access to any command, only the lowest option in the command tree cannot be accessed. For example, if you prevent access to the CLI command config sys set for a user, the user is able to display or execute config or config sys; however, the user cannot display or execute set. Enabling EAP authentication To enable EAP authentication: 1 Ensure the RADIUS authentication and accounting ports match between the SBR server and the 8300 switch. 2 Edit the eap.ini file in the SBR s Radius\Service directory to accommodate the authentication paradigm. 3 Update 5 files for the SBR server: a The main dictionary (radius.dct). This file must be edited to contain an entry of parameters from the newly-created Passport dictionary. b A private dictionary (pprt8300.dct). This file, which is specific to the Ethernet Routing Switch 8300, must be generated. It will be sourced and used by (dictiona.dcm) and (vendor.ini). c The vendor.ini file. This file must contain an entry for the Ethernet Routing Switch 8300 in order for the file to acknowledge the model/type during the client configuration. d The account.ini file. This file must contain the CLI Command = entry. e The eap.ini file for SBR Ver4.0 and above for EAP authentication. Specifically, you must make the following configuration changes for the SBR server: Configuring and Managing Security using the NNCLI and CLI

184 184 Chapter 10 Setting up RADIUS servers a Add the following lines in files radius.dct and pprt8300.dct: ATTRIBUTE Access-Priority 26 [vid=1584 type1=192 len1=+2 data=integer] VALUE Access-Priority None-Access 0 VALUE Access-Priority Read-Only-Access 1 VALUE Access-Priority L1-Read-Write-Access 2 VALUE Access-Priority L2-Read-Write-Access 3 VALUE Access-Priority L3-Read-Write-Access 4 VALUE Access-Priority Read-Write-Access 5 VALUE Access-Priority Read-Write-All-Access 6 ATTRIBUTE Cli-Command 26 [vid=1584 type1=193 len1=+2 data=string] Note: The value in the type1 field must match the vendor-specific authentication attribute value. b c d e f Add the following lines in vendor.ini: vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0 Add the following entry to the account.ini file: Cli-Command= In the account.ini file, ensure that the following lines are present: vendor-product = Nortel Passport 8300 dictionary = pprt8300 ignore-ports = no port-number-usage = per-port-type help-id = 0 To enable EAP authentication, for the SBR Server Version 4.0 and above, uncomment the line in the eap.ini file. Save changes and restart the server to activate the changes C

185 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 185 This chapter describes how to configure RADIUS authentication and accounting using the NNCLI. Specifically, it includes the following topics: Topic Page Roadmap of NNCLI RADIUS commands 185 Configuring RADIUS on the switch 187 Enabling RADIUS accounting 190 Showing RADIUS information 192 Configuring a RADIUS server 193 Showing RADIUS server configurations and server statistics 196 Roadmap of NNCLI RADIUS commands The following roadmap lists the NNCLI RADIUS commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command radius Parameter access-priority-attribute <value> acct acct-attribute-value <value> acct-include-cli-commands Configuring and Managing Security using the NNCLI and CLI

186 186 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI Command radius authentication no radius authentication radius access-priority-attribute <value> radius acct no radius acct radius acct-attribute-value <value> show radius radius-server no radius-server <ipaddr> usedby <value> show radius-server show radius-server authentication [<server ip>] show radius-server accounting [<server ip>] Parameter authentication clear-stat cli-commands-attribute <value> cli-profile command-access-attribute <value> maxserver <value> source-ip host <ipaddr> key <value> [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable] [disable] [acct-port <value>] [acct-enable] [acct-disable] [source-ip <value>] set <ipaddr> usedby <value> C

187 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 187 Configuring RADIUS on the switch To configure RADIUS on the switch, use the following command from Global configuration mode: radius The radius command uses the following options: radius followed by: access-priority-attribute <value> acct acct-attribute-value <value> acct-include-cli-commands authentication clear-stat cli-commands-attribute <value> Sets the vendor-specific attribute value of the Access-Priority attribute to match the type value set in the dictionary file on the RADIUS server. Nortel recommends the default setting of 192 for the Ethernet Routing Switch 8300 switch. The value range is 192 to 240. Enables RADIUS accounting. To disable RADIUS accounting, use the command no radius acct. Specific to RADIUS accounting. This is a vendor-specific attribute. Values are in the range This value must be different from the access-priority attribute value configured for authentication. The default value is 193. Specifies whether the user wants CLI commands to be included in the RADIUS accounting requests. By default, CLI commands are not included. If acct-include-cli-commands has been enabled, disable the feature by using the command no radius acct-include-cli-commands. Enables RADIUS authentication. To disable RADIUS authentication, use the command no radius authentication. Clears RADIUS statistics from the switch. Sets the vendor-specific attribute value of the CLI-commands attribute to match the type value set in the dictionary file on the RADIUS server. The value range is 192 to 240. The default is 195. Configuring and Managing Security using the NNCLI and CLI

188 188 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI radius followed by: cli-profile command-access-attribute <value> Enables RADIUS profiling. To disable RADIUS profiling, use the command no radius cli-profile. Sets the CLI/NNCLI commands attribute value to match the value set in the dictionary file on the RADIUS server. Attribute values configured at the switch must match those configured at the server. The value range is 192 to 240. The default value for NNCLI is 196. Check with your network administrator to verify attribute values. Note: The values of the attribute for CLI and NNCLI must be different for the server to distinguish between the two types of commands. maxserver <value> Specific to RADIUS authentication. Sets the maximum number of servers allowed for the switch. The <value> is in the range source-ip Includes the configured Circuitless IP (CLIP) address as the source IP in the RADIUS packet. To disable the feature, use no radius source-ip. Note: When configuring RADIUS services, no two attributes can have the same value. For example, if acct-attribute-value is set to 194, no other attribute can have that same value. Enabling and disabling RADIUS authentication To enable RADIUS authentication globally on the switch, use the following command from the Global configuration mode: radius authentication To disable RADIUS authentication globally on the switch, use the following command from the Global configuration mode: no radius authentication C

189 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 189 Configuring RADIUS access priority attribute values To configure the RADIUS access priority attribute value, use the following command from Global configuration mode: radius access-priority-attribute <value> where: value is in the range The default value is 192. Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192. Configuration example: RADIUS authentication The following configuration example uses the radius commands to configure RADIUS authentication. Figure 42 on page 190 shows sample output. Note: Figure 42 on page 190 is an example only. The access priority attribute value can be configured, however Nortel recommends that you use the default setting of 192 for the Ethernet Routing Switch Configuring and Managing Security using the NNCLI and CLI

190 190 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI Figure 42 radius authentication command sample output Passport-8310:5(config)# radius authentication Passport-8310:5(config)# radius access-priority-attribute 196 Passport-8310:5(config)# show radius acct-attribute-value : 193 acct-enable : false acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5(config)# Enabling RADIUS accounting To enable RADIUS accounting globally on the switch, use the following command from the Global configuration mode: radius acct To disable RADIUS accounting globally on the switch, use the following command from the Global configuration mode: no radius acct Note: When RADIUS accounting is enabled, expect a delay in the CLI login process. When accounting is enabled, the switch must attempt to connect to all RADIUS servers individually (there are three retries for each server), and if a server responds, the switch must send the accounting-start message. This creates the delay. If you are not using RADIUS accounting, ensure it is disabled to prevent the login delays C

191 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 191 Configuring RADIUS accounting attribute values To configure the RADIUS accounting attribute value, use the following command from Global configuration mode: radius acct-attribute-value <value> where: value is in the range The default value is 193. Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192. Configuration example: RADIUS accounting The following configuration example uses the radius commands to configure RADIUS accounting. Figure 43 on page 192 shows sample output. Note: To use the default value for attributes, omit the command that configures the attribute value. In Figure 43 on page 192, the user did not enter the radius acct-attribute-value command. The switch uses the default value for the attribute. Configuring and Managing Security using the NNCLI and CLI

192 192 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI Figure 43 radius acct command sample output Passport-8310:5(config)# radius acct Passport-8310:5(config)# show radius acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5(config)# Showing RADIUS information To display the global status of RADIUS information, enter the following command from either Global configuration or Privileged EXEC mode: show radius Figure 44 on page 193 shows sample output for the show radius command C

193 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 193 Figure 44 show radius command sample output Passport-8306:5(config)#show radius acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 192 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : false maxserver : 10 sourceip-flag: false Passport-8306:5(config)# Configuring a RADIUS server To create a RADIUS server, use the following command from the Global configuration mode: radius-server To delete a RADIUS server, use the following command from the Global configuration mode: no radius-server <ipaddr> usedby <value> Configuring and Managing Security using the NNCLI and CLI

194 194 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI This command includes the following options: radius-server followed by: Required parameters host <ipaddr> key <value> Optional parameters: [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable] [disable] [acct-port <value>] [acct-enable] [acct-disable] [source-ip <value>] Creates a server. To delete a server, use the no radius-server <ipaddr> usedby <value> command, where usedby <value> indicates the service that uses the RADIUS server (cli or eap). ipaddr is the IP address of the server that you want to add. key <value> is the secret key of the authentication client. Can be up to 20 characters. Optional parameters: port <value> is the UDP port you want to use ( ). The default is priority <value> is the priority value for this server (1 10). The default is 10. retry <value> is the number of authentication retries the server will accept (1 6). The default is 3. timeout <value> is the number of seconds before the authentication request times out (1 10). The default is 3. enable enables this server. disable disables this server. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable enables RADIUS accounting. acct-disable disables RADIUS accounting. source-ip <value> includes the IP address of the gateway or router in the RADIUS packet C

195 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 195 radius-server followed by: set <ipaddr> usedby <value> Optional parameters: [secret <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable] [disable] [acct-port <value>] [acct-enable] [acct-disable] [source-ip <value>] Changes specified server values without having to delete the server and re-create it again. ipaddr is the IP address of the server that you want to add. usedby is the service that uses the device (CLI or EAP). Optional parameters: secret <value> is the secret key of the authentication client. port <value> is the UDP port you want to use ( ). The default is priority <value> is the priority value for this server (1 10). The default is 10. retry <value> is the number of authentication retries the server will accept (1 6). The default is 3. timeout <value> is the number of seconds before the authentication request times out (1 10). The default is 3. enable enables this server. disable disables this server. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable enables RADIUS accounting. acct-disable disables RADIUS accounting. source-ip <value> includes the IP address of the gateway or router in the RADIUS packet. Configuration example: adding a RADIUS server The following configuration example uses the commands described above to add a RADIUS server with IP address and a key of 9. Figure 45 shows sample output using these commands. Figure 45 radius-server command sample output Passport-8306:5(config)#radius-server host key 9 Passport-8306:5(config)# Configuring and Managing Security using the NNCLI and CLI

196 196 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI Showing RADIUS server configurations and server statistics To display current RADIUS server configurations and server statistics, use the following command from either Global configuration or Privileged EXEC mode: show radius-server Note: To clear server statistics, use the radius clear-stat command from Global configuration mode. Figure 46 shows sample output for the show radius-server command. Figure 46 show radius-server command sample output Passport-8306:5(config)#show radius-server create : Name Usedby Secret Port Pri Retry Timeout Auth Acct Acct source enbld port enbld ip cli true 1813 true cli show true 1813 true delete : N/A set : N/A Note: You cannot collect the following network statistics from a console port: the number of input and output packets, and the number of input and output bytes. All other statistics from console ports are available to assist with debugging C

197 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 197 Showing RADIUS authentication statistics To show RADIUS authentication statistics, use the following command from Global configuration or Privileged EXEC mode: show radius-server authentication-stat To display statistics for a specific RADIUS server, use the following command syntax: show radius-server authentication [<server ip>] Figure 47 shows sample output for the show radius-server command. Figure 47 show radius-server authentication-stat command sample output Passport-8306:5(config)#show radius-server authentication-stat Responses with invalid server address: 0 Radius Server(UsedBy) : (cli) Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challenges : 0 Round-trip Time : unknown Nas Ip Address : Radius Server(UsedBy) : (cli) Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challenges : 0 Round-trip Time : unknown Nas Ip Address : Passport-8306:5(config)# Configuring and Managing Security using the NNCLI and CLI

198 198 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI Table 6 describes the statistics from this command. Table 6 show radius-server authentication-stat command statistics Item RADIUS Server (Useby) Access Requests Access Accepts Access Rejects Bad Responses Client Retries Pending Requests Access Challenges Round-trip Time Nas IP Address Description The IP address of the RADIUS server. The (Usedby) value indicates the service that uses the RADIUS server (CLI or EAP). Number of RADIUS access-response packets sent to this server. This does not include retransmissions. Number of RADIUS access-accept packets, valid or invalid, received from this server. Number of RADIUS access-reject packets, valid or invalid, received from this server. Number of RADIUS invalid access-response packets received from this server. Number of authentication retransmissions to the server. Access-request packets sent to the server that have not yet received a response, or have timed out. Authentication parameter that indicates the number of access-challenges sent by the RADIUS server. Time difference between the instant when a RADIUS Request is sent to the server and the instant when the RADIUS Response is received from the server. IP address that represents the NAS used in RADIUS requests sent to this server. Showing RADIUS accounting statistics To show RADIUS accounting statistics, use the following command from Global configuration or Privileged EXEC mode: show radius-server accounting-stat To display statistics for a specific RADIUS server, use the following command syntax: show radius-server accounting [<server ip>] Figure 48 on page 199 shows sample output for the show radius-server command C

199 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI 199 Figure 48 show radius-server accounting command sample output Passport-8306:5(config)#show radius-server accounting Radius Server(UsedBy) : (cli) Acct On Requests : 2 Acct Off Requests : 1 Acct Start Requests : 2 Acct Stop Requests : 2 Acct Interim Requests : 0 Acct Bad Responses : 0 Acct Pending Requests : 0 Acct Client Retries : 7 Passport-8306:5(config)# Table 7 describes the statistics from this command. Table 7 show radius-server accounting-stat command statistics Item Description RADIUS Server (Useby) Acct On Requests Acct Off Requests Acct Start Requests Acct Stop Requests The IP address of the RADIUS server. The (Usedby) value indicates the service that uses the RADIUS server (CLI or EAP). Number of accounting-on requests sent to the server. Number of accounting-off requests sent to the server. Number of accounting-start requests sent to the server. Number of accounting-stop requests sent to the server. Acct Interim Requests Number of accounting interim-requests sent to the server. Acct Bad Responses Number of invalid accounting responses from the server that are discarded. Acct Pending Number of accounting requests waiting to be sent to the server. Requests Acct Client Retries Number of accounting retries made to this server. Configuring and Managing Security using the NNCLI and CLI

200 200 Chapter 11 Configuring RADIUS authentication and accounting using the NNCLI C

201 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 201 This chapter describes how to configure RADIUS authentication and accounting using the CLI. Specifically, it includes the following topics: Topic Page Roadmap of CLI RADIUS commands 201 Configuring RADIUS on the switch 203 Enabling RADIUS authentication 204 Enabling RADIUS accounting 206 Showing RADIUS information 208 Configuring a RADIUS server 209 Showing RADIUS server configurations and server statistics 212 Roadmap of CLI RADIUS commands The following roadmap lists the CLI RADIUS commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command config radius Parameter info access-priority-attribute <value> acct-attribute-value <value> acct-enable <true false> acct-include-cli-commands <true false> Configuring and Managing Security using the NNCLI and CLI

202 202 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Command config radius authentication-enable <true false> config radius access-priority-attribute <value> config radius acct-enable <true false> config radius acct-attribute-value <value> config radius info show radius info config radius server show radius server config Parameter authentication-enable <true false> clear-stat cli-commands-attribute <value> cli-profile-enable <true false> command-access-attribute <value> maxserver <value> sourceip-flag <true false> info create <ipaddr> secret <value> [usedby <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] delete <ipaddr> usedby <value> set <ipaddr> usedby <value> [secret <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] C

203 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 203 Command show radius server stat authentication [<server ip>] show radius server stat accounting [<server ip>] Parameter Configuring RADIUS on the switch To configure RADIUS on the switch, use the following command: config radius This is a complete listing of all of the config radius commands. The sections that follow provide specific details about each command. config radius followed by: info access-priority-attribute <value> acct-attribute-value <value> acct-enable <true false> acct-include-cli-commands <true false> authentication-enable <true false> clear-stat Displays global RADIUS settings. Sets the vendor-specific access-priority attribute value to match the type value set in the dictionary file on the RADIUS server. Nortel recommends the default setting of 192 for the Ethernet Routing Switch The value is in the range Specific to RADIUS accounting. This is a vendor-specific attribute. Values are in the range This value must be different from the access-priority attribute value configured for authentication. Enables (true) or disables (false) the RADIUS accounting feature. Specifies whether the user wants CLI commands to be included in the RADIUS accounting requests. By default, CLI commands are not included. Enables (true) or disables (false) the RADIUS authentication feature. Clears RADIUS statistics from the switch. Configuring and Managing Security using the NNCLI and CLI

204 204 Chapter 12 Configuring RADIUS authentication and accounting using the CLI config radius followed by: cli-commands-attribute <value> cli-profile-enable <true false> command-access-attribute <value> maxserver <value> sourceip-flag <true false> Sets the vendor-specific attribute value of the CLI-commands attribute to match the type value set in the dictionary file on the RADIUS server. The value range is 192 to 240. The default is 195. Enables (true) or disables (false) RADIUS profiling. Sets the CLI/NNCLI commands attribute value to match the value set in the dictionary file on the RADIUS server. Attribute values configured at the switch must match those configured at the server. The value range is 192 to 240. The default value for CLI is 194. Check with your network administrator to verify attribute values. Note: The values of the attribute for CLI and NNCLI must be different for the server to distinguish between the two types of commands. Specific to RADIUS authentication. Sets the maximum number of servers allowed for the switch. The value is in the range Enable (true) to include the IP address of the gateway or router in the RADIUS packet. Note: When configuring RADIUS services, no two attributes can have the same value. For example, if acct-attribute-value is set to 194, no other attribute can have that same value. Enabling RADIUS authentication To enable or disable RADIUS authentication globally on the switch, use the following command: config radius authentication-enable <true false> where: true enables RADIUS authentication globally. false disables RADIUS authentication globally C

205 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 205 Configuring RADIUS access priority attribute values To configure the RADIUS authentication access priority attribute value, use the following command: config radius access-priority-attribute <value> where: value is in the range The default value is 192. Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192. Configuration example: RADIUS authentication The following configuration example uses the config radius commands to configure RADIUS authentication. Figure 49 on page 206 shows sample output. Note: Figure 49 on page 206 is an example only. The access priority attribute value can be configured, however Nortel recommends that you use the default setting of 192 for the Ethernet Routing Switch Configuring and Managing Security using the NNCLI and CLI

206 206 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Figure 49 config radius authentication-enable command sample output Passport-8310:5# config radius authentication-enable true Passport-8310:5# config radius access-priority-attribute 196 Passport-8310:5# config radius maxserver 10 Passport-8310:5# config radius info Sub-Context: clear config monitor show test trace Current Context: acct-attribute-value : 193 acct-enable : false acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5# Enabling RADIUS accounting To enable or disable RADIUS accounting globally on the switch, use the following command: config radius acct-enable <true false> where: true enables RADIUS accounting globally. false disables RADIUS accounting globally. Note: When RADIUS accounting is enabled, expect a delay in the CLI login process. When accounting is enabled, the switch must attempt to connect to all RADIUS servers individually (there are three retries for each server), and if a server responds, the switch must send the accounting-start message. This creates the delay. If you are not using RADIUS accounting, ensure it is disabled to prevent the login delays C

207 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 207 Configuring RADIUS accounting attribute values To configure the RADIUS accounting attribute value, use the following command: config radius acct-attribute-value <value> where: value is in the range The default value is 193. Note: All attribute values must be unique. That is, if the access priority attribute value is configured to be 192, no other attribute can have the value of 192. Configuration example: RADIUS accounting The following configuration example uses the config radius commands to configure RADIUS accounting. Figure 50 on page 208 shows sample output. Note: To use the default value for attributes, omit the command that configures the attribute value. In Figure 50 on page 208, the user did not enter the config radius acct-attribute-value command. The switch uses the default value for the attribute. Configuring and Managing Security using the NNCLI and CLI

208 208 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Figure 50 config radius acct-enable command sample output Passport-8310:5# config radius acct-enable true Passport-8310:5# config radius info Sub-Context: clear config monitor show test trace Current Context: acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 196 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5# Showing RADIUS information To display the global status of RADIUS information, use one of the following commands: config radius info or show radius info Figure 51 on page 209 shows sample output for the config radius info command. The output for the show radius info command is the same as that for config radius info command C

209 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 209 Figure 51 config radius info sample output Passport-8310:5# config radius info Sub-Context: clear config monitor show test trace Current Context: acct-attribute-value : 193 acct-enable : true acct-include-cli-commands : false access-priority-attribute : 192 command-access-attribute : 194 cli-commands-attribute : 195 cli-profile-enable : false authentication-enable : true maxserver : 10 sourceip-flag: false Passport-8310:5# Configuring a RADIUS server To create, delete, or get information about a RADIUS server, use the following command: config radius server Configuring and Managing Security using the NNCLI and CLI

210 210 Chapter 12 Configuring RADIUS authentication and accounting using the CLI This command includes the following options: config radius server followed by: info create <ipaddr> secret <value> Optional parameters: [usedby <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] Displays a list of all configured RADIUS servers. Creates a server. ipaddr is the IP address of the server you want to add. secret <value> is the secret key of the authentication client. Optional parameters: usedby specifies the service that uses the device. Options are CLI or EAP. port <value> is the UDP port you want to use ( ). The default is priority <value> is the priority value for this server (1 10). The default is 10. retry <value> is the number of authentication retries the server will accept (1 6). The default is 3. timeout <value> is the number of seconds before the authentication request times out (1 10). The default is 3. enable <value> enables (true) or disables (false) this server. The default value is true. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable <value> enables (true) or disables (false) RADIUS accounting. source-ip <value> includes the IP address of the gateway or router in the RADIUS packet C

211 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 211 config radius server followed by: delete <ipaddr> usedby <value> set <ipaddr> usedby <value> Optional parameters: [secret <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] Deletes a server. ipaddr is the IP address of the server you want to delete. usedby specifies the service that uses the device. Options are CLI or EAP. Changes specified server values without having to delete the server and re-create it again. ipaddr is the IP address of the server you want to add. usedby specifies the service that uses the device. Options are CLI or EAP. Optional parameters: secret <value> is the secret key of the authentication client. port <value> is the UDP port you want to use ( ). The default is priority <value> is the priority value for this server (1 10). The default is 10. retry <value> is the number of authentication retries the server will accept (1 6). The default is 3. timeout <value> is the number of seconds before the authentication request times out (1 10). The default is 3. enable <value> enables (true) or disables (false) this server. The default value is true. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable <value> enables (true) or disables (false) RADIUS accounting. source-ip <value> includes the IP address of the gateway or router in the RADIUS packet. Configuring and Managing Security using the NNCLI and CLI

212 212 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Configuration example: adding a RADIUS server The following configuration example uses the config radius server commands to: add a RADIUS server with IP address , a key of 9, and used by CLI view RADIUS server information Figure 52 shows sample output. Figure 52 config radius server command sample output Passport-8310:5# config radius server create secret 9 usedby cli Passport-8310:5# config radius server info Sub-Context: clear config monitor show test trace Current Context: create : Name Usedby Secret Port Prio Retry Timeout Enabled Acct-port Acct-enabled cli true 1813 true Passport-8310:5# delete : N/A set : N/A Showing RADIUS server configurations and server statistics The show radius server config command displays current RADIUS server configurations. The command uses the syntax: show radius server config Note: To clear server statistics, use the config radius clear-stat command C

213 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 213 Figure 53 shows sample output for the show radius server config command. Figure 53 show radius server config sample command output Passport-8310:5# show radius server config Sub-Context: clear config monitor show test trace Current Context: create : Name Usedby Secret Port Prio Retry Timeout Auth Acct Acct source enbld port enbld ip cli true 1813 true cli show true 1813 true Passport-8310:5# delete : N/A set : N/A Note: You cannot collect the following network statistics from a console port: the number of input and output packets, and the number of input and output bytes. All other statistics from console ports are available to assist with debugging. Showing RADIUS authentication statistics The show radius server stat authentication command displays statistics for the current RADIUS servers. The command uses the syntax: show radius server stat authentication [<server ip>] Figure 54 on page 214 shows sample output for the show radius server stat authentication command. Configuring and Managing Security using the NNCLI and CLI

214 214 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Figure 54 show radius server stat authentication command sample output Passport-8310:5# show radius server stat authentication Responses with invalid server address: 0 Radius Server(UsedBy) : (cli) Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challanges : 0 Round-trip Time : unknown Nas Ip Address : Radius Server(UsedBy) : (cli) Access Requests : 0 Access Accepts : 0 Access Rejects : 0 Bad Responses : 0 Client Retries : 0 Pending Requests : 0 Access Challanges : 0 Round-trip Time : unknown Nas Ip Address : Passport-8310:5# Table 8 describes the statistics from this command. Table 8 show radius server stat authentication command statistics Item Radius Server (UsedBy) Access Requests Description The IP address of the RADIUS server. The service that uses the RADIUS server (CLI or EAP). Number of access-request packets sent to the server; does not include retransmissions C

215 Chapter 12 Configuring RADIUS authentication and accounting using the CLI 215 Table 8 show radius server stat authentication command statistics (continued) Item Access Accepts Access Rejects Bad Responses Client Retries Pending Requests Access Challenges Round-trip Time Nas IP Address Description Number of access-accept packets, valid or invalid, received from the server. Number of access-reject packets, valid or invalid, received from the server. Number of invalid access-response packets received from the server. Number of authentication retransmissions to the server. Access-request packets sent to the server that have not yet received a response, or have timed out. Number of Access-Challenge packets received from the RADIUS server. Time difference between the instant when a RADIUS Request is sent to the server and the instant when the RADIUS Response is received from the server. IP address that represents the NAS used in RADIUS requests sent to this server. Showing RADIUS accounting statistics The show radius server stat accounting command displays statistics for the current RADIUS servers. The command uses the syntax: show radius server stat accounting [<server ip>] Figure 55 on page 216 shows sample output for the show radius server stat accounting command. Configuring and Managing Security using the NNCLI and CLI

216 216 Chapter 12 Configuring RADIUS authentication and accounting using the CLI Figure 55 show radius server stat accounting command sample output Passport-8310:5# show radius server stat accounting Radius Server(UsedBy) : (cli) Acct On Requests : 0 Acct Off Requests : 0 Acct Start Requests : 0 Acct Stop Requests : 0 Acct Interim Requests : 0 Acct Bad Responses : 0 Acct Pending Requests : 0 Acct Client Retries : 0 Passport-8310:5# Table 9 describes the statistics from this command. Table 9 show radius server stat accounting command statistics Item Description Radius Server The IP address of the RADIUS server. (UsedBy) The service that uses the RADIUS server (CLI or EAP). Acct On Requests Number of accounting-on requests sent to the server. Acct Off Requests Number of accounting-off requests sent to the server. Acct Start Requests Number of accounting-start requests sent to the server. Acct Stop Requests Number of accounting-stop requests sent to the server. Acct Interim Requests Number of accounting interim-requests sent to the server. Acct Bad Responses Number of invalid accounting responses from the server that are discarded. Acct Pending Number of accounting requests waiting to be sent to the server. Requests Acct Client Retries Number of accounting retries made to this server C

217 Chapter 13 Configuring EAPoL using the NNCLI 217 Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. EAPoL provides security to your network by preventing users from accessing network resources before they are authenticated. EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network. This chapter includes the following topics: Topic Page Roadmap of NNCLI EAPoL commands 218 Configuration prerequisites 221 Configuring EAPoL globally 221 Adding an EAPoL-enabled RADIUS server 222 Deleting an EAPoL-enabled RADIUS server 225 Modifying EAPoL-enabled RADIUS server parameters 225 Configuring EAPoL on a port 227 Configuring non-eapol clients on a port 230 Changing the authentication status of a port 231 Showing EAPoL statistics 232 Viewing the status of non-eapol clients that use RADIUS 246 Configuring and Managing Security using the NNCLI and CLI

218 218 Chapter 13 Configuring EAPoL using the NNCLI Roadmap of NNCLI EAPoL commands The following roadmap lists the NNCLI EAPoL commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command Global configuration mode radius-server host <ipaddr> key <value> usedby eapol Parameter Optional parameters: [acct-disable] [acct-enable] [acct-port <value>] [disable] [enable] [port <value>] [priority <value>] [retry <value>] [source-ip <value>] [timeout <value>] Global configuration mode no radius-server <ipaddr> usedby eapol Global configuration mode radius-server set <ipaddr> usedby eapol Optional parameters: [acct-disable] [acct-enable] [acct-port <value>] [disable] [enable] [key <value>] [port <value>] [priority <value>] [retry <value>] [source-ip <value>] [timeout <value>] Global configuration mode eapol (Also, no eapol) Interface mode eapol acct-enable clear-stat guest-vlan multihost radius-non-eap-enable radius-discard-filter-ageout <value> guest-vlan enable guest-vlan vid <value> init C

219 Chapter 13 Configuring EAPoL using the NNCLI 219 Command Parameter max-request multihost enable port {slot/port[-slot/port][,...]} quiet-interval <value> re-authenticate re-authentication re-authentication-period <value> server-timeout < > status <auto unauthorized authorized> supplicant-timeout < > traffic-control <in in-out> transmit-interval < > Interface mode eapol multihost allow-non-eap-enable eap-mac-max <value> enable non-eap-mac <mac> non-eap-mac-max <value> port {slot/port[-slot/port][,...]} radius-non-eap-enable shut-down-on-intrusion- enable Show commands show eapol show interface <FastEthernet GigabitEthernet> eapol auth-stats [<portlist>] Configuring and Managing Security using the NNCLI and CLI

220 220 Chapter 13 Configuring EAPoL using the NNCLI Command show interface <FastEthernet GigabitEthernet> eapol auth-diags [<portlist>] Parameter show interface <FastEthernet GigabitEthernet> eapol session-stats [<portlist>] show interface <FastEthernet GigabitEthernet> eapol config [<portlist>] show interface <FastEthernet GigabitEthernet> eapol oper-stats [<portlist>] show interface <FastEthernet GigabitEthernet> eapol multihost-session-stats [<ports>] show eapol multihost non-eap-mac status [<ports>] show eapol multihost non-eap-mac interface [<ports>] C

221 Configuration prerequisites Chapter 13 Configuring EAPoL using the NNCLI 221 Use the following configuration rules when using EAPoL: Before configuring your switch for EAPoL and RADIUS MAC centralization, you must configure at least one EAPoL RADIUS Server and Shared Secret fields. You cannot configure EAPoL on ports that are currently configured for: shared segments multilink trunking (MLT) tagging Note: Although you can enable both port mirroring and EAPoL on a port, Nortel does not recommend it. You can enable EAPoL in any order; that is, you do not have to enable EAPoL locally before you enable it globally. You can connect up to eight clients on each EAPoL-enabled port if you enable the Multiple Host feature. EAPoL uses the RADIUS protocol to authenticate EAPoL logins. Refer to Chapter 11, Configuring RADIUS authentication and accounting using the NNCLI, on page 185 for more information on using the RADIUS protocol. Configuring EAPoL globally You can use the eapol command to globally enable or disable EAPoL on your switch (EAPoL is disabled on your switch, by default.) Use this command to make all the controlled switch ports EAPoL-enabled. To enable EAPoL globally on your switch, enter the following command from the Global configuration mode: eapol Configuring and Managing Security using the NNCLI and CLI

222 222 Chapter 13 Configuring EAPoL using the NNCLI To disable EAPoL globally on your switch, use no before commands. For example: no eapol This command includes the following parameters: eapol followed by: acct-enable clear-stat guest-vlan multihost radius-non-eap-enable radius-discard-filter-age out <value> Enable RADIUS accounting for EAPoL sessions. Clears all EAPoL authentication and diagnostic statistics. Globally assigns and enables the Guest VLAN identification number on the switch. Use the eapol guest-vlan vid <value> command to set an integer value in the range 1 and 4000, which represents the Guest VLAN ID. Use the eapol guest-vlan enable command to globally enable the default guest vlan on the switch. Enables RADIUS MAC centralization globally on the switch. Globally sets the ageout period for pending (due to server timeout or the server is unreachable) non-eap-macs. The ageout <value> is in the range seconds. Adding an EAPoL-enabled RADIUS server The Ethernet Routing Switch 8300 can use RADIUS servers for authentication services. To add an EAPoL-enabled RADIUS server, use the following command from the Global configuration mode: radius-server host <ipaddr> key <value> usedby eapol where: ipaddr indicates the IP address of the selected server C

223 Chapter 13 Configuring EAPoL using the NNCLI 223 value specifies the secret key, which is a string of up to 20 characters. The RADIUS server uses this password to validate users. Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication. Other optional parameters that you can use with the radius-server host <ipaddr> key <value> usedby eapol command are: radius-server host <ipaddr> key <value> usedby eapol optional parameters: [acct-disable] [acct-enable] [acct-port <value>] [disable] [enable] [port <value>] [priority <value>] [retry <value>] [source-ip <value>] [timeout <value>] Optional parameters: acct-disable disables RADIUS accounting. acct-enable enables RADIUS accounting. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. disable disables RADIUS authentication on the server. The default is true. enable enables RADIUS authentication on the server. The default is true. port <value> specifies the UDP port that the client uses to send requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. priority <value> specifies the priority of each server (that is, the order in which authentication is sent to servers when more than one is configured). The range is The default is 10. retry <value> specifies the maximum number of retransmissions allowed (in the range 1 6). The default value is 3. source-ip <value> is the IP address of the gateway or router. timeout <value> specifies the time interval, in seconds, before the client retransmits the packet (in the range 1 10). The default value is 3 seconds. Configuring and Managing Security using the NNCLI and CLI

224 224 Chapter 13 Configuring EAPoL using the NNCLI Configuration example: adding an EAPoL-enabled RADIUS server To configure a RADIUS server to be used by EAPoL on the Ethernet Routing Switch 8300: 1 Enable RADIUS authentication globally: Passport-8310:5(config)#radius authentication 2 Add the RADIUS server: Passport-8310:5(config)#radius-server host <IP address> key <value> usedby eapol By default, the Ethernet Routing Switch 8300 uses RADIUS UDP ports 1812 and You can change the port number or other RADIUS server options when you add the RADIUS server. Figure 56 shows the command input and results. Figure 56 radius-server host command sample output Passport-8310:5(config)# radius authentication Passport-8310:5(config)# radius-server host key eap-key usedby eapol Passport-8310:5(config)# show radius-server create : Name Used Secret Port Pri Re Time Auth Acct Acct source by try out enbld port enbld ip eap eap-ke true 1813 true y delete : N/A set : N/A Passport-8310:5(config)# C

225 Chapter 13 Configuring EAPoL using the NNCLI 225 Note: When a port is configured for EAPoL (that is, it has an EAPoL status of auto) only one Supplicant is allowed on this port. Multiple EAPoL Supplicants are allowed when multihost is enabled on the port. Deleting an EAPoL-enabled RADIUS server To delete an EAPoL-enabled RADIUS server, use the following command from the Global configuration mode: no radius-server <ipaddr> usedby eapol where: ipaddr indicates the IP address of the selected server. Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication. Modifying EAPoL-enabled RADIUS server parameters To set EAPoL-enabled RADIUS server parameters without having to delete the server and recreate it, use the following command from Global configuration mode: radius-server set <ipaddr> usedby eapol where: ipaddr indicates the IP address of the selected server. Note: The useby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication. Configuring and Managing Security using the NNCLI and CLI

226 226 Chapter 13 Configuring EAPoL using the NNCLI Other optional parameters that you can use with the radius-server set <ipaddr> usedby eapol command are: radius-server set <ipaddr> usedby eapol optional parameters: [acct-disable] [acct-enable] [acct-port <value>] [disable] [enable] [key <value>] [port <value>] [priority <value>] [retry <value>] [source-ip <value>] [timeout <value>] Optional parameters: acct-disable disables RADIUS accounting. acct-enable enables RADIUS accounting. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. disable disables RADIUS authentication on the server. The default is true. enable enables RADIUS authentication on the server. The default is true. port <value> specifies the UDP port that the client uses to send requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. priority <value> specifies the priority of each server (that is, the order in which authentication is sent to servers when more than one is configured). The range is The default is 10. retry <value> specifies the maximum number of retransmissions allowed (in the range 1 6). The default value is 3. source-ip <value> is the IP address of the gateway or router. timeout <value> specifies the time interval, in seconds, before the client retransmits the packet (in the range 1 10). The default value is 3 seconds. For more information about this command and the options that can be used with it, refer to Chapter 11, Configuring RADIUS authentication and accounting using the NNCLI, on page C

227 Configuring EAPoL on a port Chapter 13 Configuring EAPoL using the NNCLI 227 To configure EAPoL on a specific port, use the following command from the Interface configuration mode: eapol Note: Ensure you are in the Interface configuration mode for a port, or a range of ports. For example, from the Global configuration mode, enter the command: interface fastethernet {slot/port[-slot/port][,...]} This command includes the following parameters: eapol followed by: guest-vlan enable guest-vlan vid <value> init max-request multihost enable port {slot/port[-slot/ port][,...]} quiet-interval <value> Enables the Guest VLAN on this port. Use the no eapol guest-vlan enable command to disable the Guest VLAN on the port. Assigns the guest VLAN identification number (vid), an integer value in the range Initializes EAPoL authentication on the specified port. Sets the maximum number of times to retry sending packets to the Supplicant. The range is 1 and 10. The default value is 2. Allows you to enable or disable multiple EAPoL clients on the specified ports. Use the no keyword to disable EAPoL clients on the specified ports. Allows you to enter the port or ports you want to configure for EAPoL. Note: If you omit this parameter, the system uses the port number specified when you entered the interface command. Sets the time interval (in seconds) between authentication failure and the start of a new authentication. The range is 1 and The default value is 60. Configuring and Managing Security using the NNCLI and CLI

228 228 Chapter 13 Configuring EAPoL using the NNCLI eapol (continued) followed by: re-authenticate re-authentication re-authentication-period <value> server-timeout < > status <auto unauthorized authorized> supplicant-timeout < > traffic-control <in in-out> transmit-interval < > Re-authenticates the Supplicant connected to this port immediately. Note: Before you can reauthenticate the Supplicant connected to this port, you must first enable reauthentication (see re-authentication ). Enables or disables re-authentication. When enabled, re-authenticates an existing Supplicant at the time interval specified in re-authentication-period <value>. The default is disable. Sets the time interval (in seconds) between successive re-authentications (see re-authentication ). The value is in the range seconds. The default value is 3600 seconds (1 hour). Sets the time (in seconds) to wait for a response from the RADIUS server. The default is 30. Sets the authentication status for this port. The default is authorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. unauthorized - port is always unauthorized. authorized - port is always authorized. Sets the time (in seconds) to wait for a response from a Supplicant for all EAP packets except EAP Request/Identity packets. The default is 30. Sets the desired level of traffic control for a port. in - Blocks incoming traffic when EAP authentication fails. in-out - Blocks incoming and outgoing traffic when EAP authentication fails. Sets the time (in seconds) to wait for a response from a Supplicant for EAP Request/Identity packets. The default is C

229 Chapter 13 Configuring EAPoL using the NNCLI 229 Configuration example: configuring EAPoL on a port The following configuration example uses the commands described above to perform the following tasks on port 5/5. Set the status so the port is automatically authenticated. Retry sending packets to the Supplicant up to four times maximum. Wait 120 seconds between an authentication failure and another attempt. Wait 90 seconds for the Supplicant s response to EAP Request/Identity packets. Wait 90 seconds for a response from the RADIUS server. Wait 90 seconds for the Supplicant s response to all EAP packets, except EAP Request/Identity packets. Wait 7200 seconds (2 hours) between successive re-authentications. Set re-authentication to enable so that the Supplicant will be re-authenticated every 90 seconds, as specified by the re-authentication period. Note: The NNCLI enables you to string several or all of the available parameters together. For example, you can combine the first two commands in the example below into one command: Passport-8310:5(config-if)#eapol status authorized max-req 4 Figure 57 shows sample output for using the commands for this configuration example. Figure 57 eapol configuration command sample output Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#eapol max-req 4 Passport-8310:5(config-if)#eapol quiet-interval 120 Passport-8310:5(config-if)#eapol transmit-interval 90 Passport-8310:5(config-if)#eapol server-timeout 90 Passport-8310:5(config-if)#eapol supplicant-timeout 90 Passport-8310:5(config-if)#eapol re-authentication-period 7200 Passport-8310:5(config-if)#eapol re-authentication enable Passport-8310:5(config-if)# Configuring and Managing Security using the NNCLI and CLI

230 230 Chapter 13 Configuring EAPoL using the NNCLI Configuring non-eapol clients on a port To configure non-eapol clients on a specific port, use the following command from the Interface configuration mode: eapol multihost Note: Ensure you are in the Interface configuration mode for a port. For example, from the Global configuration mode, enter the interface fastethernet {slot/port[-slot/port][,...]} command. This command includes the following parameters: eapol multihost followed by: allow-non-eap-enable eap-mac-max <value> enable non-eap-mac <mac> non-eap-mac-max <value> Sets the port to allow (enable) or not allow (disable) a mix of EAPoL clients. Use the no keyword to disable a mix of EAPoL clients. Sets the maximum number of EAPoL clients allowed for the port. Enter an integer value in the range 1 8, which specifies the maximum number of non-eapol clients that can reside on this port. Note: The maximum number of authenticated clients that you can configure on a port is eight. Allows multiple clients to be connected on the port. Allows you to add (insert) a non-eapol MAC address into the non-eap-mac list. Sets the maximum number of non-eapol clients allowed for the port. Enter an integer value in the range 1 8, which specifies the maximum number of non-eapol clients that can reside on this port. Note: The maximum number of non- authenticated clients that you can configure on a port is eight C

231 Chapter 13 Configuring EAPoL using the NNCLI 231 eapol multihost (continued) followed by: port {slot/port[-slot/ port][,...]} radius-non-eap-enable shut-down-on-intrusionenable Allows you to enter the port or ports you want to configure for EAPoL. Note: If you omit this parameter, the system uses the port number specified when you entered the interface command. Enables RADIUS MAC centralization per interface. When enabled, allows the port to shut down when the maximum non-eap clients limit is reached. Changing the authentication status of a port By default, ports are force-authorized. This means that the ports are always authorized and are not authenticated by the RADIUS server. You can change this setting so that the ports are always unauthorized (force-unauthorized). You can also make the ports controlled so that they are automatically authenticated when you globally enable EAPoL (auto). The auto setting automatically authenticates the port according to the results of the RADIUS server. Use the following procedure to navigate from Global configuration mode to Interface configuration mode and set the authentication state for the specified port or ports: 1 Enter the Interface mode from the Global configuration mode and select the port you want to edit: Passport-8310:5(config)#interface FastEthernet <slot/port> 2 Set the EAPoL authentication state for this port: Passport-8310:5(config-if)#eapol status <authorized auto unauthorized> Configuring and Managing Security using the NNCLI and CLI

232 232 Chapter 13 Configuring EAPoL using the NNCLI where: auto specifies that port authorization status depends on the results of the EAPoL authentication by the RADIUS server. authorized indicates that the port is always authorized. unauthorized indicates that the port is always unauthorized. For example, to enable EAPoL on Ethernet port 1/1, enter the following commands: Passport-8310:5(config)#interface FastEthernet 1/1 Passport-8310:5(config-if)#eapol status auto Showing EAPoL statistics The Ethernet Routing Switch 8300 provides the following show commands to help you to monitor and troubleshoot your switch: Showing the EAPoL status of the switch on page 232 Showing EAPoL authenticator statistics on page 233 Showing EAPoL authenticator diagnostics on page 235 Showing EAPoL authenticator session statistics on page 238 Showing EAPoL configuration statistics on page 240 Showing EAPoL operation statistics on page 243 Showing the EAPoL status of the switch To view the current configuration of the switch, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show eapol Figure 58 on page 233 shows sample output for this command C

233 Figure 58 show eapol command sample output Chapter 13 Configuring EAPoL using the NNCLI 233 Passport-8306:5(config)#show eapol eap : disabled acct-enable : false default-guest-vlan : false guest-vlan : 4095 radius-mac-centralization : disabled Passport-8306:5(config)# Showing EAPoL authenticator statistics To display the authenticator statistics, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show interface <FastEthernet GigabitEthernet> eapol auth-stats [<portlist>] where: portlist uses the convention {slot/port[-slot/port][,...]}. Figure 59 on page 234 shows sample output for this command. Configuring and Managing Security using the NNCLI and CLI

234 234 Chapter 13 Configuring EAPoL using the NNCLI Figure 59 show interface FastEthernet eapol auth-stats sample output Passport-8310:6(config)#show interface FastEthernet eapol auth-stats ================================================================================ Eap Authenticator Statistics ================================================================================ PORT TOTAL TOTAL START LOGOFF RESP_ID RESP REQ-ID REQ INVALID LENGTH FRAME LAST-SRC RX TX RCVD RCVD RCVD RCVD TX TX FRAMES ERROR VER MAC / :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 1/ :00:00:00:00:00 Passport-8310:6(config)# Table 10 describes the parameters in the Eap Authenticator Statistics table. Table 10 Eap Authenticator Statistics table parameters Field TOTAL RX TOTAL TX START RCVD LOGOFF RCVD RESP_ID RCVD RESP RCVD REQ_ID TX Description Displays the number of valid EAPoL frames of any type that have been received by this Authenticator. Displays the number of EAPoL frame types of any type that have been transmitted by this Authenticator. Displays the number of EAPoL start frames that have been received by this Authenticator. Displays the number of EAPoL logoff frames that have been received by this Authenticator. Displays the number of EAPoL Resp/Id frames that have been received by this Authenticator. Displays the number of valid EAP Response frames (Other than Resp/Id frames) that have been received by this Authenticator. Displays the number of EAPoL Req/Id frames that have been transmitted by this Authenticator C

235 Chapter 13 Configuring EAPoL using the NNCLI 235 Table 10 Eap Authenticator Statistics table parameters (continued) Field REQ TX INVALID FRAMES LENGTH ERROR FRAME VER LAST_SRC MAC Description Displays the number of EAP Req/Id frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Displays the number of EAPoL frames that have been received by this Authenticator in which the frame type is not recognized. Displays the number of EAPoL frames that have been received by this Authenticator in which the packet body length field is not valid. Displays the protocol version number that was in the most recently received EAPoL frame. Displays the source MAC address that was in the most recently received EAPoL frame. Showing EAPoL authenticator diagnostics To display the authenticator diagnostics, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show interface <FastEthernet GigabitEthernet> eapol auth-diags [<portlist>] where: portlist uses the convention {slot/port[-slot/port][,...]}. Figure 60 on page 236 shows sample output for this command. Configuring and Managing Security using the NNCLI and CLI

236 236 Chapter 13 Configuring EAPoL using the NNCLI Figure 60 show interface FastEthernet eapol auth-diags sample output Passport-8310:6(config)#show interface FastEthernet eapol auth-diags ================================================================================ Eap Authenticator Diagnostics Table ================================================================================ Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/ Enter Conn Logoff While Conn Enter Authing Success While Authing Timeout while Authing Fail While Authing Reauths While Authing Starts While Authing Logoffs While Authing Reauths While Authed Starts While Authed Logoffs While Authed Bkend Resps Bkend Access Chall Bkend Reqs ToSupp Bkend NonNak From Supp Bkend Auth Succ Bkend Auth Fails Table 11 describes the parameters in the Eap Authenticator Diagnostics table. Table 11 Eap Authenticator Diagnostics table parameters Field Enter Conn Logoff While Conn Enter Authing Description Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state. Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPoL-Logoff message. Counts the number of times that the Authenticator PAE state machine transitions from Connecting to Authenticating as a result of receiving an EAP-Response/ Identity message being received from the Supplicant C

237 Chapter 13 Configuring EAPoL using the NNCLI 237 Table 11 Eap Authenticator Diagnostics table parameters (continued) Field Success While Authing Timeout While Authing Fail While Authing Reauths While Authing Starts While Authing Logoffs While Authing Reauths While Authed Starts While Authed Logoffs While Authed Bkend Resps Bkend Access Chall Description Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Authenticated as a result of the Backend authentication state machine indicating successful authentication of the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Held as a result of the Backend authentication state machine indicating authentication failure. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of a reauthentication request. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Start message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Logoff message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of a reauthentication request. Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of an EAPoL-Start message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Disconnected as a result of an EAPoL-Logoff message being received from the Supplicant. Counts the number of times that the Backend Authentication state machine sends an Initial-Access request packet to the Authentication server. Counts the number of times that the Backend Authentication state machine receives an Initial-Access challenge packet from the Authentication server. Configuring and Managing Security using the NNCLI and CLI

238 238 Chapter 13 Configuring EAPoL using the NNCLI Table 11 Eap Authenticator Diagnostics table parameters (continued) Field Bkend Reqs ToSupp Bkend NonNak From Supp Bkend Auth Succ Bkend Auth Fails Description Counts the number of times that the Backend Authentication state machine sends an EAP request packet (other than an Identity, Notification, failure, or success message) to the Supplicant. Counts the number of times that the Backend Authentication state machine receives a response from the Supplicant to an initial EAP request and the response is something other than EAP-NAK. Counts the number of times that the Backend Authentication state machine receives an EAP-success message from the Authentication server. Counts the number of times that the Backend Authentication state machine receives an EAP-failure message from the Authentication server. Showing EAPoL authenticator session statistics To display the authenticator statistics per session, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show interface <FastEthernet GigabitEthernet> eapol session-stats [<portlist>] where: portlist uses the convention {slot/port[-slot/port][,...]}. Figure 61 on page 239 shows sample output for this command C

239 Chapter 13 Configuring EAPoL using the NNCLI 239 Figure 61 show interface FastEthernet eapol session-stats sample output Passport-8310:5(config-if)# show interface FastEthernet eapol session-stats ============================================================================= Eap Authenticator Session Statistics ============================================================================= TOTAL TOTAL TOTAL TOTAL OCTETS OCTETS FRAMES FRAMES SESSION AUTHENTIC SESSION TERMINATE USER PORT RCVD TXMT RCVD TXMT ID METHOD TIME CAUSE NAME / none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none 5/ none 0 day(s),00:00:00 none.. Passport-8310:5(config-if)# Table 12 describes the parameters in the Eap Authenticator Session Statistics table. Table 12 Eap Authenticator Session Statistics table parameters Field TOTAL OCTETS RCVD TOTAL OCTETS TXMT TOTAL FRAMES RCVD TOTAL FRAMES TXMT SESSION ID AUTHENTIC METHOD SESSION TIME Description Displays the number of octets received in user data frames on this port during the session. Displays the number of octets transmitted in user data frames on this port during the session. Displays the number of user data frames received on this port during the session. Displays the number of user data frames transmitted on this port during the session. Displays a unique identifier for the session that is at least three characters. Displays the authentication method (remote or local RADIUS server) used to establish the session. Displays the duration of the session (in seconds). Configuring and Managing Security using the NNCLI and CLI

240 240 Chapter 13 Configuring EAPoL using the NNCLI Table 12 Eap Authenticator Session Statistics table parameters (continued) Field TERMINATE CAUSE USER NAME Description Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated Displays the user name of the Supplicant PAE. Showing EAPoL configuration statistics To display configuration information for the supplicant PAE associated with each selected port, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show interface <FastEthernet GigabitEthernet> eapol config [<portlist>] where: portlist uses the convention {slot/port[-slot/port][,...]} Figure 62 on page 241 shows sample output for this command C

241 Figure 62 show interface FastEthernet eapol config sample output Chapter 13 Configuring EAPoL using the NNCLI 241 Passport-8310:6(config)#show interface FastEthernet eapol config ============================================================================================= Eap Authenticator Config Table ============================================================================================= PORT 2/1 2/2 2/3 2/4 2/ Admin Status force-auth force-auth force-auth force-auth force-auth Control Direction both both both both both Max Request Quiet Period Transmit Period Server Timeout Supplicant Timeout Reauthentication false false false false false Reauth Period Guest-Vlan State disabled disabled disabled disabled disabled Guest-Vlan ID Multi Host disabled disabled disabled disabled disabled Max Multi Host Allow Non-Eap Host disabled disabled disabled disabled disabled Max Non-Eap Host Passport-8310:6(config)# Configuring and Managing Security using the NNCLI and CLI

242 242 Chapter 13 Configuring EAPoL using the NNCLI Table 13 describes the parameters in the Eap Authenticator Config table. Table 13 Eap Config table parameters Item ADMIN STATUS CTRL DIR MAX REQ QUIET PERIOD TRANSMIT PERIOD SERVER TIMEOUT SUPPLICANT TIMEOUT REAUTHENTICATION REAUTH PERIOD Description Displays the authentication status for this port. force-unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. force-authorized - port is always authorized. Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If traffic-control-directions is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If traffic-control-directions is set to incoming -and -outgoing, traffic is blocked in both directions. Displays the maximum number of times to retry sending packets to the Supplicant. Displays the time interval (in seconds) between authentication failure and the start of a new authentication. Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for EAP Request/Identity packets. Displays the time (in seconds) that the Authenticator waits for a response from the RADIUS server. Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for all EAP packets except EAP Request/Identity packets. When set to true, the Authenticator re-authenticates a Supplicant at the time interval specified in REAUTH PERIOD. Displays the time interval (in seconds) between successive re-authentications C

243 Showing EAPoL operation statistics Chapter 13 Configuring EAPoL using the NNCLI 243 To display statistical information about the authenticator, use the following command from Privileged EXEC, Global configuration, or Interface configuration mode: show interface <FastEthernet GigabitEthernet> eapol oper-stats [<portlist>] where: portlist uses the convention {slot/port[-slot/port][,...]}. Figure 63 shows sample output for this command. Figure 63 show interface FastEthernet eapol oper-stats sample output Passport-8310:6(config)#show interface FastEthernet eapol oper-stats ================================================================================ Eap Oper Stats ================================================================================ PORT CTRL PORT PAE BKEND DIR STATUS STATUS STATUS /1 both authorized force-authorized idle 1/2 both authorized force-authorized idle 1/3 both authorized force-authorized idle 1/4 both authorized force-authorized idle 1/5 both authorized force-authorized idle 1/6 both authorized force-authorized idle 1/7 both authorized force-authorized idle 1/8 both authorized force-authorized idle 1/9 both authorized force-authorized idle 1/10 both authorized force-authorized idle 1/11 both authorized force-authorized idle 1/12 both authorized force-authorized idle 1/13 both authorized force-authorized idle 1/14 both authorized force-authorized idle 1/15 both authorized force-authorized idle 1/16 both authorized force-authorized idle Passport-8310:6(config)# Configuring and Managing Security using the NNCLI and CLI

244 244 Chapter 13 Configuring EAPoL using the NNCLI Table 14 describes the parameters in the Eap Oper Stats table. Table 14 Eap Oper Stats table parameters Item CTRL DIR PORT STATUS PAE STATUS BKEND STATUS Description Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If traffic-control-directions is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If traffic-control-directions is set to incoming -and -outgoing, traffic is blocked in both directions. Displays the authentication status for this port. unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. authorized - port is always authorized. Displays the current Authenticator PAE state. The possible states are: initialized disconnected connecting authenticating authenticated aborting held force-authorized force-unauthorized Displays the current state of Backend Authentication. The possible states are: request response success fail timeout idle initialize Showing multiple clients session information To display information about multiple client sessions configured on one or more ports, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes: show interface <FastEthernet GigabitEthernet> eapol multihost-session-stats [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 64 on page 245 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display C

245 Chapter 13 Configuring EAPoL using the NNCLI 245 Figure 64 show interface fastethernet eapol multi-host-session-stats command sample output Passport-8310:5# show interface fastethernet eapol multi-host-session-stats 1/1-1/8 Unit/Port Client-Mac_Addr Session-Id Auth-Method Session-Time /1 00:00:00:00:00:00 10 local-server 00:04:16:09 1/2 00:00:00:00:00:00 20 local-server 00:00:05:32 1/3 00:00:00:00:00:00 30 local-server 00:02:24:45 1/4 00:00:00:00:00:00 40 local-server 00:01:09:03 Term-Cause User-Name re-auth failure not-terminated user2 not-terminated user3 not-terminated user4 Table 15 describes the information provided for multiple client sessions. Table 15 show ports info eapol oper-stats parameters Item Unit/Port Client MAC Address Session ID Authentication Method Session Time Terminate Cause User Name Description Lists the port number for the displayed statistics. Displays the MAC address of the client. Displays the unique identifier for the session. Displays the authentication method (remote-server or local-server) used to establish the session. Displays the duration of the session (in days, hours, minutes, and seconds). Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated Displays the username of the Supplicant PAE. Configuring and Managing Security using the NNCLI and CLI

246 246 Chapter 13 Configuring EAPoL using the NNCLI Viewing the status of non-eapol clients that use RADIUS To view information about non-eapol clients using RADIUS on one or more ports, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes: show eapol multihost non-eap-mac status [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]}. Figure 65 shows sample output for this command. Figure 65 show eapol multihost non-eap-mac status command sample output Passport-8310:5(config)# show eapol multihost non-eap-mac status Unit/Port Client Mac Addr Authentication Status /1 00:00:00:00:00:00 pending 1/2 00:00:00:00:00:00 pending 1/3 00:00:00:00:00:00 request-dropped 1/4 00:00:00:00:00:00 authenticated Passport-8310:5(config)# Table 16 describes the information provided by the show eapol multihost non-eap-mac status command. Table 16 show eapol multihost non-eap-mac status parameters Item Unit/Port Description Indicates the slot/port number C

247 Chapter 13 Configuring EAPoL using the NNCLI 247 Table 16 show eapol multihost non-eap-mac status parameters (continued) Item Client Mac Address Authentication Status Description Displays the non-eap MAC address for the device connected to the port. Displays the RADIUS authentication status of the learned MAC addresses. There are five possible status options: Pending Rejected Authenticated Request dropped Server not reachable Note: Non-EAP clients are not authenticated if the RADIUS queue is full, or if the RADIUS server cannot process the requests. For example, when the RADIUS server is down during the STP convergence, a discard filter is added for non-eap clients. The RADIUS request for the non-eap clients times out and is dropped. That is, the non-eap clients are discarded and never get a chance to be authenticated. In addition, if the RADIUS queue is full and more RADIUS requests come in, all those additional RADIUS requests are dropped. To solve this issue, in Ethernet Routing Switch 8300 software release 2.2 the authentication status of the non-eap client changes from pending to radius-server-not-reachable when the RADIUS request of a non-eap client times out. Also, when the RADIUS request of a non-eap client is dropped due to insufficient space in the RADIUS queue, the authentication status of the non-eap client is changed to radius-request-dropped. The discarded RADIUS non-eap clients (with an authentication status of radius-request-dropped or radius-server-not-reachable) receive another chance to be authenticated when one of the following occurs: The discard-filter-ageout timer (configured by the user) expires. By default, the discard-filter-ageout value is 10 seconds. The user can configure it to a value in the range of seconds. Traffic from the RADIUS server is received. In addition, a consistency check prevents enabling EAP and unknown-mac-discard together. Configuring and Managing Security using the NNCLI and CLI

248 248 Chapter 13 Configuring EAPoL using the NNCLI Viewing allowed non-eapol MAC addresses To view the allowed non-eapol MAC addresses and the associated slot/port for each, use the following command from the Privilege EXEC, User EXEC, Global configuration, and the Interface modes: show eapol multihost non-eap-mac interface [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]}. Figure 66 shows sample output for this command. Figure 66 show eapol multihost non-eap-mac interface command sample output Passport-8310:5(config)# show eapol multihost non-eap-mac interface Unit/Port Allowed Mac Addr /1 00:00:00:00:00:00 1/2 00:00:00:00:00:00 1/3 00:00:00:00:00:00 1/4 00:00:00:00:00:00 Passport-8310:5(config)# Table 17 describes the information provided by the show eapol multihost non-eap-mac interface command. Table 17 show eapol multihost non-eap-mac interface parameters Item Unit/Port Allowed Mac Address Description Indicates the slot/port number. Displays the list of allowed non-eap MAC addresses that have been added C

249 Chapter 14 Configuring EAPOL using the CLI 249 Extensible Authentication Protocol over LAN (EAPoL) is a port-based network access control protocol. EAPoL provides security to your network by preventing users from accessing network resources before they are authenticated. EAPoL allows you to set up network access control on internal LANs and to exchange authentication information between any end station or server connected to the Ethernet Routing Switch 8300 and an authentication server (such as a RADIUS server). This security feature extends the benefits of remote authentication to internal LAN clients. For example, if a new client PC fails the authentication process, EAPoL prevents it from accessing the network. This chapter includes the following topics: Topic Page Roadmap of CLI EAPoL commands 250 Configuration prerequisites 253 Adding an EAPoL-enabled RADIUS server 255 Deleting an EAPoL-enabled RADIUS server 258 Modifying EAPoL-enabled RADIUS server parameters 258 Configuring EAPoL globally 254 Configuring EAPoL on a port 260 Configuring non-eapol clients on a port 264 Showing EAPoL statistics 266 Viewing the status of non-eapol clients that use RADIUS 280 Configuring and Managing Security using the NNCLI and CLI

250 250 Chapter 14 Configuring EAPOL using the CLI Roadmap of CLI EAPoL commands The following roadmap lists the CLI EAPoL commands and their parameters. Use this list as a quick reference or click on any entry for more information: Command config radius server create <ipaddr> secret <value> usedby eapol Parameter config radius server delete <ipaddr> usedby eapol config radius server set <ipaddr> usedby eapol config sys set eapol config ethernet <ports> eapol info acct-enable <true false> clear-stat default-guest-vlan <enable disable> enable disable guest-vlan <vid> radius-mac-centralization <enable disable> radius-discard-filter-ageout <value> info admin-status <auto force-unauthorized force-auth orized> admin-traffic-control <incoming-and-outgoing incoming-only> default-guest-vlan <enable disable> C

251 Chapter 14 Configuring EAPOL using the CLI 251 Command Parameter guest-vlan <vid> multi-host <enable disable> max-multi-hosts <1..8> initialize max-req <1...10> quiet-period < seconds> reauthentication <true false> reauthenticate-now reauthentication-period < seconds> server-timeout < seconds> supplicant-timeout < seconds> transmit-period < seconds> config ethernet <ports> eapol non-eap-mac info add <mac> allow-non-eap-clients <enable disable> clear radius-mac-centralization <enable disable> shut-down-on-intrusion <enable disable> max-non-eap-clients <1..8> remove <mac> show sys eapol Configuring and Managing Security using the NNCLI and CLI

252 252 Chapter 14 Configuring EAPOL using the CLI Command show ports info eapol auth-stats [<ports>] Parameter show ports info eapol auth-diags [<ports>] show ports info eapol session-stats [<ports>] show ports info eapol config [<ports>] show ports info eapol oper-stats [<ports>] show ports info eapol multi-host-session-stats [<ports>] show ports info eapol radius-non-eap-mac [<ports>] show ports info eapol non-eap-mac [<ports>] C

253 Configuration prerequisites Chapter 14 Configuring EAPOL using the CLI 253 Use the following configuration rules when using EAPoL: Before configuring your switch for EAPoL and RADIUS MAC centralization, you must configure at least one EAPoL RADIUS Server and Shared Secret field. You cannot configure EAPoL on ports that are currently configured for: shared segments multilink trunking (MLT) tagging Note: Although you can enable both port mirroring and EAPoL on a port, Nortel does not recommend it. You can enable EAPoL in any order; that is, you do not have to enable EAPoL locally before you can enable it globally. You can connect up to eight clients on each EAPoL-enabled port if you enable the Multiple Host feature. EAPoL uses the RADIUS protocol to authenticate EAPoL logins. See Chapter 12, Configuring RADIUS authentication and accounting using the CLI, on page 201 for more information on using the RADIUS protocol. Configuring and Managing Security using the NNCLI and CLI

254 254 Chapter 14 Configuring EAPOL using the CLI Configuring EAPoL globally To globally configure EAPoL, use the following command: config sys set eapol This command includes the following parameters: config sys set eapol followed by: info acct-enable <true false> clear-stat default-guest-vlan <enable disable> enable disable guest-vlan <vid> radius-mac-centralization <enable disable> radius-discard-filter-age out <value> Displays information about the current global EAPoL configuration. Globally enables or disables RADIUS accounting. true enables RADIUS accounting false disables RADIUS accounting Clears all EAPoL authentication and diagnostic statistics. Globally enables or disables Guest VLANs on the switch. enable globally enables Guest VLANs. disable globally disables Guest VLANs. Globally enables EAPoL on the switch. Globally disables EAPoL on the switch. Globally assigns the Guest VLAN identification number on the switch. vid is an integer value in the range 1 and 4000, which represents the Guest VLAN Id. Globally enables or disables RADIUS MAC centralization. Globally sets the ageout period for pending (due to server timeout or the server is unreachable) non-eap-macs. The ageout <value> is in the range seconds C

255 Adding an EAPoL-enabled RADIUS server Chapter 14 Configuring EAPOL using the CLI 255 The Ethernet Routing Switch 8300 can use RADIUS servers for authentication services. To add an EAPoL-enabled RADIUS server, use the following command: config radius server create <ipaddr> secret <value> usedby eapol where: ipaddr indicates the IP address of the selected server. value specifies the secret key, which is a string of up to 20 characters. The RADIUS server uses this password to validate users. Note: The usedby attribute determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication. Configuring and Managing Security using the NNCLI and CLI

256 256 Chapter 14 Configuring EAPOL using the CLI Other optional parameters that you can use with the config radius server create <ipaddr> secret <value> usedby eapol command are: config radius server <ipaddr> secret <value> usedby eapol optional parameters: [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] Optional parameters: port <value> specifies the UDP port that the client uses to send requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. priority <value> specifies the priority of each server (that is, the order in which authentication is sent to servers when more than one is configured). The range is The default is 10. retry <value> specifies the maximum number of retransmissions allowed (in the range 1 6). The default value is 3. timeout <value> specifies the time interval, in seconds, before the client retransmits the packet (in the range 1 10). The default value is 3 seconds. enable <value> enables (true) or disables (false) authentication on the server. The default is true. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable <value> enables (true) or disables (false) RADIUS accounting. source-ip <value> is the IP address of the gateway or router. Configuration example: adding an EAPoL-enabled RADIUS server To configure a RADIUS server to be used by EAPoL on the Ethernet Routing Switch 8300: 1 Enable RADIUS authentication globally: Passport-8310:5# config radius authentication-enable true 2 Add the RADIUS server: C

257 Chapter 14 Configuring EAPOL using the CLI 257 Passport-8310:5# config radius server create <IP address> secret <value> usedby eapol By default, the Ethernet Routing Switch 8300 uses RADIUS UDP ports 1812 and You can change the port number or other RADIUS server options when you add the RADIUS server. Figure 67 shows the command input and results. Figure 67 config radius server command sample output Passport-8310:5# config radius authentication-enable true Passport-8310:5# config radius server create secret 9 usedby eapol Passport-8310:5# config radius server info Sub-Context: clear config monitor show test trace Current Context: create : Name Used Secret Port Pri Re Time Auth Acct Acct source by try out enbld port enbld ip eap true 1813 true Passport-8310:5# delete : N/A set : N/A Note: When a port is configured for EAPoL (that is, it has an EAPoL status of auto), up to eight supplicants and eight non-eapol clients (MACs) are allowed on this port. Configuring and Managing Security using the NNCLI and CLI

258 258 Chapter 14 Configuring EAPOL using the CLI Deleting an EAPoL-enabled RADIUS server To delete an EAPoL-enabled RADIUS server, use the following command: config radius server delete <ipaddr> usedby eapol where: ipaddr indicates the IP address of the selected server. Note: The usedby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication. Modifying EAPoL-enabled RADIUS server parameters To set EAPoL-enabled RADIUS server parameters without having to delete the server and recreate it, use the following command: config radius server set <ipaddr> usedby eapol where: ipaddr indicates the IP address of the selected server. Note: The usedby parameter determines how the server functions: cli - configures the server for CLI authentication. eapol - configures the server for EAPoL authentication C

259 Chapter 14 Configuring EAPOL using the CLI 259 Other optional parameters that you can use with the config radius server set <ipaddr> usedby eapol command are: config radius server set <ipaddr> usedby eapol optional parameters: [secret <value>] [port <value>] [priority <value>] [retry <value>] [timeout <value>] [enable <value>] [acct-port <value>] [acct-enable <value>] [source-ip <value>] Optional parameters: secret <value> specifies the secret key, which is a string of up to 20 characters. The RADIUS server uses this password to validate users. port <value> specifies the UDP port that the client uses to send requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. priority <value> specifies the priority of each server (that is, the order in which authentication is sent to servers when more than one is configured). The range is The default is 10. retry <value> specifies the maximum number of retransmissions allowed (in the range 1 6). The default value is 3. timeout <value> specifies the time interval, in seconds, before the client retransmits the packet (in the range 1 10). The default value is 3 seconds. enable <value> enables (true) or disables (false) authentication on the server. The default is true. acct-port <value> is the UDP port the client uses to send accounting requests to the server (in the range ). The default value is The UDP port value set for the client must match the UDP value set for the RADIUS server. acct-enable <value> enables (true) or disables (false) RADIUS accounting. source-ip <value> is the IP address of the gateway or router. For more information about this command and the options that can be used with it, refer to Chapter 12, Configuring RADIUS authentication and accounting using the CLI, on page 201. Configuring and Managing Security using the NNCLI and CLI

260 260 Chapter 14 Configuring EAPOL using the CLI Configuring EAPoL on a port To configure EAPoL on a specific port, use the following command: config ethernet <ports> eapol where: ports uses the convention {slot/port[-slot/port][,...]} This command includes the following parameters: config ethernet <ports> eapol followed by: info Displays information about the current EAPoL configuration on this port. admin-status <auto force-unauthorized force-authorized> admin-traffic-control <incoming-and-outgoing incoming-only> default-guest-vlan <enable disable> guest-vlan <vid> multi-host <enable disable> Sets the authorization status for this port. The default is force-authorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. force-unauthorized - port is always unauthorized. force-authorized - port is always authorized. Sets the authorization status (admin-status) traffic control direction: incoming-and-outgoing - traffic control is applied to both incoming and outgoing packets. incoming-only - traffic control is only applied to incoming packets. Enables or disables the Guest VLAN on this port. Assigns the guest VLAN identification number (vid). <vid> is the vlan id, an integer value in the range Allows you to enable or disable multiple EAPoL clients on the specified ports C

261 Chapter 14 Configuring EAPOL using the CLI 261 config ethernet <ports> eapol (continued) followed by: max-multi-hosts <1..8> initialize max-req <1...10> quiet-period < seconds> reauthentication <true false> reauthenticate-now reauthentication-period < seconds> server-timeout < seconds> Sets the maximum number of EAPoL hosts for the port indicates that you enter an integer value in the range 1 and 8, which specifies the maximum number of hosts that can reside on this port. Initializes EAPoL authentication on the specified port. Sets the maximum number of times to retry sending packets to the Supplicant. The default is 2. Sets the time interval (in seconds) between authentication failure and the start of a new authentication. The default is 60. When enabled (true), re-authenticates an existing Supplicant at the time interval specified in reauthentication-period < seconds>. The default is false. Reauthenticates the Supplicant connected to this port immediately. Note: Before you can reauthenticate the Supplicant connected to this port, you must first enable reauthentication (see reauthentication <true false> ). Sets the time interval (in seconds) between successive re-authentications (see reauthentication <true false> ). The default is 3600 (1 hour). Sets the time (in seconds) to wait for a response from the RADIUS server. The default is 30. Configuring and Managing Security using the NNCLI and CLI

262 262 Chapter 14 Configuring EAPOL using the CLI config ethernet <ports> eapol (continued) followed by: supplicant-timeout < seconds> transmit-period < seconds> Sets the time (in seconds) to wait for a response from a Supplicant for all EAP packets, except EAP Request/Identity packets. The default is 30. Sets the time (in seconds) to wait for a response from a Supplicant for EAP Request/Identity packets. The default is 30. Configuration example: configuring EAPoL on a port The following configuration example uses commands described above to perform the following tasks on port 1/1. Set the status so the port is automatically authenticated. Retry sending packets to the Supplicant up to four times maximum. Wait 120 seconds between an authentication failure and another attempt. Wait 90 seconds for the Supplicant s response to EAP Request/Identity packets. Wait 90 seconds for a response from the RADIUS server. Wait 90 seconds for the Supplicant s response to all EAP packets, except EAP Request/Identity packets. Wait 7200 seconds (2 hours) between successive re-authentications. Set re-authentication to enable so that the Supplicant will be re-authenticated every 90 seconds, as specified by the re-authentication period. Figure 68 on page 263 shows sample output for using the commands for this configuration example. The config ethernet <ports> eapol info command shows a summary of the results C

263 Figure 68 eapol configuration command sample output Chapter 14 Configuring EAPOL using the CLI 263 Passport-8310:6#config ethernet 1/1 eapol Passport-8310:6/config/ethernet/1/1/eapol# admin-status auto Passport-8310:6/config/ethernet/1/1/eapol# max-req 4 Passport-8310:6/config/ethernet/1/1/eapol# quiet-period 120 Passport-8310:6/config/ethernet/1/1/eapol# transmit-period 90 Passport-8310:6/config/ethernet/1/1/eapol# server-timeout 90 Passport-8310:6/config/ethernet/1/1/eapol# supplicant-timeout 90 Passport-8310:6/config/ethernet/1/1/eapol# reauthentication-period 7200 Passport-8310:6/config/ethernet/1/1/eapol# reauthentication true Passport-8610:5# config ethernet 1/1 eapol info admin-status : auto admin-traffic-control : incoming-and-outgoing default-guest-vlan : disabled guest-vlan : 4095 multi-host : enabled max-multi-hosts : 1 max-req : 4 quiet-period : 120 transmit-period : 90 server-timeout : 90 supplicant-timeout : 90 reauthentication-period : 7200 reauthentication : true Configuring and Managing Security using the NNCLI and CLI

264 264 Chapter 14 Configuring EAPOL using the CLI Configuring non-eapol clients on a port To configure non-eapol clients on a specific port, use the following command: config ethernet <ports> eapol non-eap-mac where: ports uses the convention {slot/port[-slot/port][,...]} This command includes the following parameters: config ethernet <ports> eapol non-eap-mac followed by: info Displays information about the current non-eapol client configuration on this port. add <mac> Allows you to add (insert) a non-eapol MAC address into the non-eap-mac list. mac is the non-eapol MAC address, in the format: {0x00:0x00:0x00:0x00:0x00:0x00} allow-non-eap-clients <enable disable> clear radius-mac-centralization <enable disable> shut-down-on-intrusion <enable disable> max-non-eap-clients <1..8> remove <mac> Sets the port to allow (enable) or not allow (disable) a mix of EAPoL clients. Clears all MAC addresses from the non-eap-mac list. Enables or disables the RADIUS MAC centralization feature on the port. When enabled, allows the port to shut down when the maximum non-eap clients limit is reached. Sets the maximum number of non-eapol clients allowed for the port indicates that you enter an integer value in the range 1 and 8, which specifies the maximum number of non-eapol clients that can reside on this port. Deletes the specified MAC address <mac> from the non-eap-mac list C

265 Chapter 14 Configuring EAPOL using the CLI 265 Changing the authentication status of a port By default, ports are force-authorized. This means that the ports are always authorized and are not authenticated by the RADIUS server. You can change this setting so that the ports are always unauthorized (force-unauthorized). You can also make the ports controlled so that they are automatically authenticated when you globally enable EAPoL (auto). The auto setting automatically authenticates the port according to the results of the RADIUS server. Use the following procedure to navigate from Global configuration mode to Interface configuration mode and set the authentication state for the specified port or ports: 1 Select the port you want to edit: Passport-8310:5# config ethernet <slot/port> 2 Set the EAPoL authentication state for this port: Passport-8310:5(config-if)#eapol admin-status <auto force-unauthorized force-authorized> where: auto specifies that port authorization status depends on the results of the EAPoL authentication by the RADIUS server. force-authorized indicates that the port is always authorized. force-unauthorized indicates that the port is always unauthorized. For example, to enable EAPoL on Ethernet port 1/1, enter the following commands: Passport-8310:5# config ethernet 1/1 Passport-8310:5/config/ethernet/1/1# eapol admin-status auto Configuring and Managing Security using the NNCLI and CLI

266 266 Chapter 14 Configuring EAPOL using the CLI Showing EAPoL statistics The Ethernet Routing Switch 8300 provides the following show commands to help you to monitor and troubleshoot your switch: Showing the EAPoL status of the switch on page 266 Showing EAPoL authenticator statistics on page 267 Showing EAPoL authenticator diagnostics on page 269 Showing EAPoL authenticator session statistics on page 272 Showing EAPoL configuration statistics on page 274 Showing EAPoL operation statistics on page 276 Showing the EAPoL status of the switch To view the current configuration of the switch, use the following command: show sys eapol Figure 69 shows sample output for this command. Figure 69 show sys eapol command sample output Passport-8610:5# show sys eapol eap : enabled acct-enable : false default-guest-vlan : false guest-vlan : 4095 radius-mac-centralization : enabled Passport-8610:5# C

267 Showing EAPoL authenticator statistics Chapter 14 Configuring EAPOL using the CLI 267 To view the authenticator statistics, use the following command: show ports info eapol auth-stats [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 70 shows sample output for this command. Figure 70 show ports info eapol auth-stats command sample output Passport-8310:5# show ports info eapol auth-stats 1/1 ============================================================================= Eap Authenticator Statistics ============================================================================= PORT TOTAL TOTAL START LOGOFF RESP_ID RESP REQ-ID REQ INVALID LENGTH FRAME LAST-SRC RX TX RCVD RCVD RCVD RCVD TX TX FRAMES ERROR VER MAC / :00:00:00:00: Table 18 describes the parameters in the Eap Authenticator Statistics table. Table 18 show ports info eapol auth-stats parameters Field TOTAL RX TOTAL TX START RCVD LOGOFF RCVD RESP_ID RCVD Description Displays the number of valid EAPoL frames that have been received by this Authenticator. Displays the number of EAPoL frames that have been transmitted by this Authenticator. Displays the number of EAPoL start frames that have been received by this Authenticator. Displays the number of EAPoL logoff frames that have been received by this Authenticator. Displays the number of EAPoL Resp/Id frames that have been received by this Authenticator. Configuring and Managing Security using the NNCLI and CLI

268 268 Chapter 14 Configuring EAPOL using the CLI Table 18 show ports info eapol auth-stats parameters (continued) Field RESP RCVD REQ_ID TX REQ TX INVALID FRAMES LENGTH ERROR FRAME VER LAST_SRC MAC Description Displays the number of valid EAP Response frames (Other than Resp/Id frames) that have been received by this Authenticator. Displays the number of EAPoL Req/Id frames that have been transmitted by this Authenticator. Displays the number of EAPoL Required frames (other than Rq/Id frames) that have been transmitted by this Authenticator. Displays the number of EAPoL frames that have been received by this Authenticator in which the frame type is not recognized. Displays the number of EAPoL frames that have been received by this Authenticator in which the packet body length field is not valid. Displays the protocol version number that was in the most recently received EAPoL frame. Displays the source MAC address that was in the most recently received EAPoL frame C

269 Chapter 14 Configuring EAPOL using the CLI 269 Showing EAPoL authenticator diagnostics To view the authenticator diagnostics, use the following command: show ports info eapol auth-diags [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 71 shows sample output for this command. Figure 71 show ports info eapol auth-diags command sample output Passport-8310:5# show ports info eapol auth-diags ============================================================================= Eap Authenticator Diagnostics Table ============================================================================= Port 1/1 1/2 1/3 1/4 1/5 1/6 1/7 1/ Enter Conn Logoff While Conn Enter Authing Success While Authing Timeout while Authing Fail While Authing Reauths While Authing Starts While Authing Logoffs While Authing Reauths While Authed Starts While Authed Logoffs While Authed Bkend Resps Bkend Access Chall Bkend Reqs ToSupp Bkend NonNak From Supp Bkend Auth Succ Bkend Auth Fails Configuring and Managing Security using the NNCLI and CLI

270 270 Chapter 14 Configuring EAPOL using the CLI Table 19 describes the parameters in the Eap Authenticator Diagnostics Table. Table 19 show ports info eapol auth-diags parameters Field Enter Conn Logoff While Conn Enter Authing Success While Authing Timeout While Authing Fail While Authing Reauths While Authing Starts While Authing Logoffs While Authing Reauths While Authed Description Counts the number of times that the Authenticator PAE state machine transitions to the Connecting state from any other state. Counts the number of times that the Authenticator PAE state machine transitions from Connected to Disconnected as a result of receiving an EAPoL-Logoff message. Counts the number of times that the Authenticator PAE state machine transitions from Connecting to Authenticating as a result of receiving an EAP-Response/ Identity message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Authenticated as a result of the Backend authentication state machine indicating successful authentication of the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of the Backend authentication state machine indicating authentication timeout. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Held as a result of the Backend authentication state machine indicating authentication failure. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of a reauthentication request. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Start message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticating to Aborting as a result of an EAPoL-Logoff message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of a reauthentication request C

271 Chapter 14 Configuring EAPOL using the CLI 271 Table 19 show ports info eapol auth-diags parameters (continued) Field Starts While Authed Logoffs While Authed Bkend Resps Bkend Access Chall Bkend OtherReqs ToSupp Bkend NonNak FromSupp Bkend Auth Succ Bkend Auth Fails Description Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Connecting as a result of an EAPoL-Start message being received from the Supplicant. Counts the number of times that the Authenticator PAE state machine transitions from Authenticated to Disconnected as a result of an EAPoL-Logoff message being received from the Supplicant. Counts the number of times that the Backend Authentication state machine sends an Initial-Access request packet to the Authentication server. Counts the number of times that the Backend Authentication state machine receives an Initial-Access challenge packet from the Authentication server. Counts the number of times that the Backend Authentication state machine sends an EAP request packet (other than an Identity, Notification, failure, or success message) to the Supplicant. Counts the number of times that the Backend Authentication state machine receives a response from the Supplicant to an initial EAP request and the response is something other than EAP-NAK. Counts the number of times that the Backend Authentication state machine receives an EAP-success message from the Authentication server. Counts the number of times that the Backend Authentication state machine receives an EAP-failure message from the Authentication server. Configuring and Managing Security using the NNCLI and CLI

272 272 Chapter 14 Configuring EAPOL using the CLI Showing EAPoL authenticator session statistics To view the authenticator statistics per session, use the following command: show ports info eapol session-stats [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 72 shows sample output for this command. Figure 72 show ports info eapol session-stats command sample output Passport-8310:5/show/ports/info/eapol# session-stats =================================================================================================== Eap Authenticator Session Statistics =================================================================================================== TOTAL TOTAL TOTAL TOTAL OCTETS OCTETS FRAMES FRAMES SESSION AUTHENTIC SESSION TERMINATE USER PORT RCVD TXMT RCVD TXMT ID METHOD TIME CAUSE NAME / none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 5/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none 7/ none 0 day(s), 00:00:00 none C

273 Chapter 14 Configuring EAPOL using the CLI 273 Table 20 describes the parameters in the Eap Authenticator Session Statistics table. Table 20 show ports info eapol session-stats parameters Field TOTAL OCTETS RCVD TOTAL OCTETS TXMT TOTAL FRAMES RCVD TOTAL FRAMES TXMT SESSION ID AUTHENTIC METHOD SESSION TIME TERMINATE CAUSE USER NAME Description Displays the number of octets received in user data frames on this port during the session. Displays the number of octets transmitted in user data frames on this port during the session. Displays the number of user data frames received on this port during the session. Displays the number of user data frames transmitted on this port during the session. Displays a unique identifier for the session that is at least three characters. Displays the authentication method (remote or local RADIUS server) used to establish the session. Displays the duration of the session (in days, hours, minutes, and seconds). Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated Displays the user name of the Supplicant PAE. Configuring and Managing Security using the NNCLI and CLI

274 274 Chapter 14 Configuring EAPOL using the CLI Showing EAPoL configuration statistics To display configuration information for the supplicant PAE associated with each selected port, use the following command: show ports info eapol config [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 73 shows sample output for this command. Figure 73 show ports info eapol config command sample output Passport-8310:5# show ports info eapol config 1/1 ========================================================================== Eap Authenticator Config Table ========================================================================== Port 1/ Admin Status force-auth Control Direction both Max Request 2 Quiet Period 60 Transmit Period 30 Server Timeout 30 Supplicant Timeout 30 Reauthentication false Reauth Period 3600 Guest-Vlan State disabled Guest-Vlan ID 4095 Multi Host enabled Max Multi Host 1 Allow Non-Eap Host disabled Max Non-Eap Host C

275 Chapter 14 Configuring EAPOL using the CLI 275 Table 21 describes the parameters in the Eap Authenticator Config table. Table 21 show ports info eapol config parameters Item Admin Status Control Direction Max Request Quiet Period Transmit Period Server Timeout Supplcant Timeout Reauthentication Reauth Period Guest-Vlan State Guest-Vlan ID Multi Host Description Displays the authentication status for this port. force-unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. force-authorized - port is always authorized. Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If the admin-traffic-control field value is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If the admin-traffic-control field value is set to incoming-and-outgoing, traffic is blocked in both directions. Displays the maximum number of times to retry sending packets to the Supplicant. Displays the time interval (in seconds) between authentication failure and the start of a new authentication. Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for EAP Request/Identity packets. Displays the time (in seconds) that the Authenticator waits for a response from the RADIUS server. Displays the time (in seconds) that the Authenticator waits for a response from a Supplicant for all EAP packets except EAP Request/Identity packets. When set to true, the Authenticator re-authenticates a Supplicant at the time interval specified in Reauth Period. Displays the time interval (in seconds) between successive re-authentications. Displays the state (enabled or disabled) of the Guest VLAN on this port. Displays the guest VLAN identification number (vid). vid is the vlan id, an integer value in the range 1 and Displays the multiple EAPoL client setting (enabled or disabled) on the specified port. Configuring and Managing Security using the NNCLI and CLI

276 276 Chapter 14 Configuring EAPOL using the CLI Table 21 show ports info eapol config parameters (continued) Item Max Multi Host Allow Non-Eap Host Max Non-Eap Host Description Displays the number of EAPoL hosts configured on the port. Up to 8 EAPoL hosts can reside on the port. Displays the Allow Non-EAPoL hosts setting (enabled or disabled) for this port. Displays the number of Non-EAPoL hosts configured on the port. Up to 8 Non-EAPoL hosts can reside on the port. Showing EAPoL operation statistics To display statistical information about the authenticator, use the following command: show ports info eapol oper-stats [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 74 on page 277 shows sample output for this command. In this example, ports 1/1 to 1/8 have been selected for display C

277 Figure 74 show ports info eapol oper-stats command sample output Passport-8310:5# show ports info eapol oper-stats 1/1-1/8 Chapter 14 Configuring EAPOL using the CLI 277 ==================================================================== Eap Oper Stats ==================================================================== PORT CTRL PORT PAE BKEND DIR STATUS STATUS STATUS /1 both authorized force-authorized idle 1/2 both authorized force-authorized idle 1/3 both authorized force-authorized idle 1/4 both authorized force-authorized idle 1/5 both authorized force-authorized idle 1/6 both authorized force-authorized idle 1/7 both authorized force-authorized idle 1/8 both authorized force-authorized idle Table 22 describes the parameters in the Eap Oper Stats table. Table 22 show ports info eapol oper-stats parameters Item CTRL DIR PORT STATUS Description Indicates the control direction. Control direction can be either incoming-only or incoming-and-outgoing. If the port is unauthorized, traffic is blocked, based on this setting. If the admin-traffic-control field value is set to incoming-only, ingressing traffic is blocked; egress traffic is forwarded normally. If the admin-traffic-control field value is set to incoming-and-outgoing, traffic is blocked in both directions. Displays the authentication status for this port. unauthorized - port is always unauthorized. auto - port authorization depends on the results of the EAPoL authentication by the RADIUS server. authorized - port is always authorized. Configuring and Managing Security using the NNCLI and CLI

278 278 Chapter 14 Configuring EAPOL using the CLI Table 22 show ports info eapol oper-stats parameters (continued) Item PAE STATUS BKEND STATUS Description Displays the current Authenticator PAE state. The possible states are: initialized disconnected connecting authenticating authenticated aborting held force-authorized force-unauthorized Displays the current state of Backend Authentication. The possible states are: request response success fail timeout idle initialize Showing multiple clients session information To display information about multiple client sessions configured on one or more ports, use the following command: show ports info eapol multi-host-session-stats [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 75 on page 279 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display C

279 Chapter 14 Configuring EAPOL using the CLI 279 Figure 75 show ports info eapol multi-host-session-stats command sample output Passport-8310:5# show ports info eapol multi-host-session-stats 1/1-1/4 Unit/Port Client-Mac_Addr Session-Id Auth-Method Session-Time /1 00:00:00:00:00:00 10 local-server 00:04:16:09 1/2 00:00:00:00:00:00 20 local-server 00:00:05:32 1/3 00:00:00:00:00:00 30 local-server 00:02:24:45 1/4 00:00:00:00:00:00 40 local-server 00:01:09:03 Term-Cause User-Name re-auth failure not-terminated user2 not-terminated user3 not-terminated user4 Table 23 describes the information provided for multiple client sessions. Table 23 show ports info eapol oper-stats parameters Item Unit/Port Client MAC Address Session ID Authentication Method Session Time Terminate Cause User Name Description Lists the port number for the displayed statistics. Displays the MAC address of the client. Displays the unique identifier for the session. Displays the authentication method (remote-server or local-server) used to establish the session. Displays the duration of the session (in days, hours, minutes, and seconds). Displays the reason for the session being terminated. The possible reasons are: Supplicant logoff Port failure Supplicant restart Re-authentication failed Control force unauthorized Port re-initialized Port admin disabled Not terminated Displays the username of the Supplicant PAE. Configuring and Managing Security using the NNCLI and CLI

280 280 Chapter 14 Configuring EAPOL using the CLI Viewing the status of non-eapol clients that use RADIUS To view information about non-eapol clients using RADIUS on one or more ports, use the following command: show ports info eapol radius-non-eap-mac [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]} Figure 76 shows sample output for this command. In this example, ports 1/1 to 1/4 have been selected for display. Figure 76 show ports info eapol radius-non-eap-mac command sample output Passport-8310:5# show ports info eapol radius-non-eap-mac 1/1-1/4 Unit/Port Client Mac Addr Authentication Status /1 00:00:00:00:00:00 pending 1/2 00:00:00:00:00:00 pending 1/3 00:00:00:00:00:00 request-dropped 1/4 00:00:00:00:00:00 pending Passport-8310:5# Table 77 describes the information available for non-eap clients. Figure 77 show ports info eapol radius-non-eap-mac parameters Item Unit/Port Description Indicates the slot and port numbers C

281 Chapter 14 Configuring EAPOL using the CLI 281 Figure 77 show ports info eapol radius-non-eap-mac parameters (continued) Item Client Mac Address Authentication Status Description Displays the non-eap MAC address for the device connected to the port. Displays the RADIUS authentication status of the learned MAC addresses. There are five possible status options: Pending Rejected Authenticated Request dropped Server not reachable Note: Non-EAP clients are not authenticated if the RADIUS queue is full, or if the RADIUS server cannot process the requests. For example, when the RADIUS server is down during the STP convergence, a discard filter is added for non-eap clients. The RADIUS request for the non-eap clients times out and is dropped. That is, the non-eap clients are discarded and never get a chance to be authenticated. In addition, if the RADIUS queue is full and more RADIUS requests come in, all those additional RADIUS requests are dropped. To solve this issue, in Ethernet Routing Switch 8300 software release 2.2 the authentication status of the non-eap client changes from pending to radius-server-not-reachable when the RADIUS request of a non-eap client times out. Also, when the RADIUS request of a non-eap client is dropped due to insufficient space in the RADIUS queue, the authentication status of the non-eap client is changed to radius-request-dropped. The discarded RADIUS non-eap clients (with an authentication status of radius-request-dropped or radius-server-not-reachable) receive another chance to be authenticated when one of the following occurs: The discard-filter-ageout timer (configured by the user) expires. By default, the discard-filter-ageout value is 10 seconds. The user can configure it to a value in the range of seconds. Traffic from the RADIUS server is received. In addition, a consistency check prevents enabling EAP and unknown-mac-discard together. Configuring and Managing Security using the NNCLI and CLI

282 282 Chapter 14 Configuring EAPOL using the CLI Viewing allowed non-eapol MAC addresses To view the allowed non-eapol MAC addresses and the associated slot/port for each, use the following command from any mode: show ports info eapol non-eap-mac [<ports>] where: ports uses the convention {slot/port[-slot/port][,...]}. Figure 78 shows sample output for this command. Figure 78 show ports info eapol non-eap-mac command sample output Passport-8310:5# show ports info eapol non-eap-mac 1/1-1/4 Unit/Port Allowed Mac Addr /1 00:00:00:00:00:00 1/2 00:00:00:00:00:00 1/3 00:00:00:00:00:00 1/4 00:00:00:00:00:00 Passport-8310:5# Table 24 describes the information provided by the show ports info eapol non-eap-mac command. Table 24 show ports info eapol non-eap-mac parameters Item Unit/Port Allowed Mac Address Description Indicates the slot/port number. Displays the list of allowed non-eap MAC addresses that have been added C

283 Chapter 15 Configuring TACACS+ using the NNCLI 283 This chapter describes how to configure TACACS+ using the NNCLI. Specifically, it includes the following topics: Topic Page Roadmap of CLI TACACS+ commands 283 Enabling TACACS+ authentication 284 Configuring a TACACS+ server 285 Configuration example: enabling TACACS+ and adding a 287 TACACS+ server Roadmap of CLI TACACS+ commands The following roadmap lists the CLI TACACS+ commands and their parameters. Use this list as a quick reference, or click on any entry for more information: Command tacacs enable no tacacs enable show tacacs tacacs server <ipaddr> key <value> no tacacs server <ipaddr> Optional parameters [port <value>] [priority <value>] [single-connection enable] [source <ipaddr>] [timeout <value>] Configuring and Managing Security using the NNCLI and CLI

284 284 Chapter 15 Configuring TACACS+ using the NNCLI Enabling TACACS+ authentication To enable TACACS+ authentication globally on the switch, use the following command from the Global configuration mode: tacacs enable To disable TACACS+ authentication globally on the switch, use the following command from the Global configuration mode: no tacacs enable Showing TACACS+ information To display the status of TACACS+ configuration, enter the following command from any mode: show tacacs Figure 79 shows sample output for the show tacacs command. Figure 79 Sample of show tacacs command output Passport-8310:5# show tacacs TACACS+ authentication is enabled. IP address Status Key Port Prio Timeout Single Source IP NotConn mykey No Passport-8310:5(config)# C

285 Configuring a TACACS+ server Chapter 15 Configuring TACACS+ using the NNCLI 285 To add a TACACS+ server, use the following command from the Global configuration mode: tacacs server <ipaddr> key <value> where: ipaddr is the IP address of the server you want to add key <value> is the secret authentication and encryption key used for all TACACS+ communications between the device and the TACACS+ server Note: The key <value> parameter is a required parameter only when creating a new server entry. The parameter is optional when modifying an existing entry. Configuring and Managing Security using the NNCLI and CLI

286 286 Chapter 15 Configuring TACACS+ using the NNCLI After you have added the TACACS+ server, use the following tacacs server <ipaddr> commands to further configure the TACACS+ server settings: tacacs server <ipaddr> optional parameters: [port <value>] [priority <value>] [single-connection enable] [source <ipaddr>] [timeout <value>] Optional parameters: key <value>: Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. The string length is characters. port <value>: Specifies the TCP port you want to use. If unspecified, the default port number is 49. The range of values is priority <value>: Determines the order in which the servers will be used, where 1 specifies the highest priority. The default value is 1. When setting a second server and more, a unique value must be specified. The range of values is single-connection enable: Rather than have the device open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the device and the daemon. By default, single-connection is disabled. To disable single-connection, use the command no tacacs server <ipaddr> single-connection enable. source <ipaddr>: Specifies the source IP address to use for communication. Enter to use the IP address of the outgoing IP interface. The default value is timeout <value>: Specifies the timeout value (in seconds) for communications with the TACACS+ server. The default value is 10 seconds. The range of values is The default value is 10 seconds. To delete a TACACS+ server, use the following command from the Global configuration mode: no tacacs server <ipaddr> C

287 Chapter 15 Configuring TACACS+ using the NNCLI 287 Configuration example: enabling TACACS+ and adding a TACACS+ server The following configuration example uses the commands described above to enable TACACS+ globally and add a TACACS+ server with the following parameters: IP address key of mykey Figure 80 shows sample input using these commands. Figure 80 Sample of tacacs server command input Passport-8310:5(config)# tacacs enable Passport-8310:5(config)# tacacs server key 9 Passport-8310:5(config)# show tacacs TACACS+ authentication is enabled. IP address Status Key Port Prio Timeout Single Source IP Conn mykey No Passport-8310:5(config)# Configuring and Managing Security using the NNCLI and CLI

288 288 Chapter 15 Configuring TACACS+ using the NNCLI C

289 Chapter 16 Configuring TACACS+ using the CLI 289 This chapter describes how to configure TACACS+ using the CLI. Specifically, it includes the following topics: Topic Page Roadmap of CLI TACACS+ commands 289 Configuring TACACS+ on the switch 290 Configuring a TACACS+ server 292 Configuration example: adding a TACACS+ server 294 Roadmap of CLI TACACS+ commands The following roadmap lists the CLI TACACS+ commands and their parameters. Use this list as a quick reference, or click on any entry for more information: Command config tacacs config tacacs server Parameter info enable <true false> info create <ipaddr> secret <value> [[port <value>] [priority <value>] [timeout <value>] [single-connection <true false>] [source <ipaddr>] Configuring and Managing Security using the NNCLI and CLI

290 290 Chapter 16 Configuring TACACS+ using the CLI Command Parameter set <ipaddr> [secret <value>] [port <value>] [priority <value>] [timeout <value>] [single-connection <true false>] [source <ipaddr>] delete <ipaddr> Configuring TACACS+ on the switch To configure TACACS+ on the switch, use the following command: config tacacs This is a complete list of the config tacacs commands. The sections that follow provide specific details about each command. config tacacs followed by: info enable <true false> Displays global TACACS+ settings. Note: The show tacacs info command can also be used to display TACACS+ server settings. Enables (true) or disables (false) the TACACS+ authentication feature. By default TACACS+ authentication is disabled C

291 Chapter 16 Configuring TACACS+ using the CLI 291 Enabling TACACS+ To enable or disable TACACS+ authentication on the switch, use the following command: config tacacs enable <true false> where: true enables TACACS+ authentication false disables TACACS+ authentication Showing TACACS+ information To display the status of TACACS+ authentication, enter one of the following commands: config tacacs info or show tacacs info Figure 81 shows sample output for the config tacacs info command. Figure 81 Sample of config tacacs info command output Passport-8310:5# config tacacs info Sub-context: clear config monitor show test trace Current Context: Passport-8310:5# enable : true Configuring and Managing Security using the NNCLI and CLI

292 292 Chapter 16 Configuring TACACS+ using the CLI Configuring a TACACS+ server To create, delete, or get information about a TACACS+ server, use the following command: config tacacs server The following shows a complete list of the config tacacs server commands. config tacacs server followed by: info create <ipaddr> secret <value> Optional parameters: [[port <value>] [priority <value>] [timeout <value>] [single-connection <true false>] [source <ipaddr>] Displays the TACACS+ server settings. Note: The show tacacs server config command can also be used to display TACACS+ server settings. Creates a TACACS+ server, where <ipaddr> is the IP address of the server you want to add. The secret <value> specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. The string length is characters. Optional parameters: port <value>: Specifies the TCP port you want to use. If unspecified, the default port number is 49. The range of values is priority <value>: Determines the order in which the servers will be used, where 1 specifies the highest priority. The default value is 1. When setting a second server and more, a unique value must be specified. The range of values is timeout <value>: Specifies the timeout value in seconds. The default value is 10 seconds. The range of values is single-connection <true false>: Enter true to specify single-connection. Rather than have the device open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the device and the daemon. If no value is specified, the value defaults to false. source <ipaddr>: Specifies the source IP address to use for communication. A address value of is interpreted as a request to use the IP address of the outgoing IP interface. If no source value is specified, the value defaults to C

293 Chapter 16 Configuring TACACS+ using the CLI 293 config tacacs server followed by: set <ipaddr> Optional parameters: [secret <value>] [port <value>] [priority <value>] [timeout <value>] [single-connection <true false>] [source <ipaddr>] delete <ipaddr> Changes the specified server values without having to delete the server and recreate it. Optional parameters: secret <value>: Specifies the authentication and encryption key for all TACACS+ communications between the device and the TACACS+ server. This key must match the encryption used on the TACACS+ daemon. The string length is characters. port <value>: Specifies the TCP port you want to use. The range of values is priority <value>: Determines the order in which the servers will be used, where 1 specifies the highest priority. The range of values is timeout <value>: Specifies the timeout value in seconds. The range of values is single-connection <true false>: Enter true to specify single-connection. Rather than have the device open and close a TCP connection to the daemon each time it must communicate, the single-connection option maintains a single open connection between the device and the daemon. source <ipaddr>: Specifies the source IP address to use for communication. A address value of is interpreted as a request to use the IP address of the outgoing IP interface. Deletes a TACACS+ server, where <ipaddr> is the IP address of the server you want to delete. Showing TACACS+ server configurations To display current TACACS+ server configurations, enter one of the following commands: config tacacs server info or show tacacs server config Figure 82 on page 294 shows sample output for the config tacacs server info command. Configuring and Managing Security using the NNCLI and CLI

294 294 Chapter 16 Configuring TACACS+ using the CLI Configuration example: adding a TACACS+ server The following configuration example uses the commands described above to add a TACACS+ server with the following parameters: IP address key of mykey priority value of 2 timeout value of 25 single-connection enabled Figure 82 shows sample output using these commands. Figure 82 Sample of config tacacs+ server command output Passport-8310:5# config tacacs server create secret mykey priority 2 timeout 25 single-connection true Passport-8310:5# config tacacs server info Sub-context: clear config monitor show test trace Current Context: create : Name Status Secret Port Prio Timeout Single Source Conn mykey true Passport-8310:5# delete : N/A set : N/A C

295 Chapter 17 NNCLI configuration examples 295 This chapter provides examples of common EAPoL and SNMPv3 configuration tasks, including the NNCLI commands you use to create the example configurations. Note: For a complete description of NNCLI commands you can use to configure specific EAPoL and SNMPv3 tasks, including those shown in this chapter, see the appropriate NNCLI chapter in this guide. This chapter includes the following topics: Topic Page Configuring EAPoL via Layer Configuring EAPoL via Layer Configuring SNMPv3 304 Configuring and Managing Security using the NNCLI and CLI

296 296 Chapter 17 NNCLI configuration examples Configuring EAPoL via Layer 2 Figure 83 EAPoL via L2 In this configuration example, you use VLAN 2 for the EAPoL Supplicants, ports 1/20-1/25. You use port 1/13 for the trunk port to the Ethernet Routing Switch 8600 core. Only ports 1/20 and 1/21 are ready for EAPoL users. The other EAPoL Supplicant ports (1/22-1/25) are reserved for future EAPoL use; configure these ports so that they cannot be accessed. All ports are FastEthernet 10/100. Specifically, this configuration example shows how to perform the following tasks: Create VLAN 2 for EAPoL with port 1/13 and ports 1/20-1/25 Use IP address of /24 on VLAN 2 Configure ports 1/20 and 1/21 for EAPoL auto Configure ports 1/22-1/25 for EAPoL force-unauthorized Configure a RADIUS server on the Ethernet Routing Switch 8300 switch that points to the Authentication Server Figure 83 illustrates this configuration example. Core Ethernet Routing Switch 8600 A Ethernet Routing Switch 8600 B EAP Authenticator 1/20 EAP Supplicants 1/21 RADIUS Authentication Server 1/13 Ethernet Routing Switch /22-1/25 Reserved for future EAP users x/ /24 VLAN 2 EAPvial2 To configure the switch for this example, follow these steps: 1 Create VLAN 2 as a port-based VLAN using STG 1: C

297 Chapter 17 NNCLI configuration examples 297 Passport-8310:5(config)#vlan create 2 type port 1 2 If required, enable VLAN tagging on port 1/13: Passport-8310:5(config)#interface fastethernet 1/13 Passport-8310:5(config-if)#encapsulation dot1q Passport-8310:5(config-if)#exit 3 Add VLAN members: Passport-8310:5(config)#vlan members add 2 1/13,1/20-1/25 4 Remove port members from the default VLAN: Passport-8310:5(config)#vlan members remove 1 1/13,1/ 20-1/25 5 Add an IP address to VLAN 2: Passport-8310:5(config)#interface vlan 2 Passport-8310:5(config-if)#ip address Passport-8310:5(config-if)#exit 6 Enable EAPoL globally: Passport-8310:5(config)#eapol 7 Enable EAPoL on ports 1/20 and 1/21: a Go to ports 1/20-1/21: b Passport-8310:5(config)#interface fastethernet 1/20-1/ 21 Set EAPoL status to auto: Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#exit 8 Set ports 1/22-1/25 to EAPoL unauthorized: a Go to ports 1/22-1/25: b Passport-8310:5(config)#interface fastethernet 1/22-1/25 Set EAPoL status to unauthorized: Passport-8310:5(config-if)#eapol status unauthorized Passport-8310:5(config-if)#exit 9 Add the RADIUS server configuration: Configuring and Managing Security using the NNCLI and CLI

298 298 Chapter 17 NNCLI configuration examples a b Enable RADIUS globally: Passport-8310:5(config)#radius Add the RADIUS server; use the RADIUS key eap8300: Passport-8310:5(config)#radius-server host key eap8300 useby eap C

299 Chapter 17 NNCLI configuration examples 299 Configuration files This section shows the configuration commands and parameters used to create the topology shown in Figure 83 on page 296. You can copy and paste the command outputs shown here to update your configuration files. # PORT CONFIGURATION - PHASE I # interface FastEthernet 1/20 eapol status auto interface FastEthernet 1/21 eapol status auto interface FastEthernet 1/22 eapol status unauthorized interface FastEthernet 1/23 eapol status unauthorized interface FastEthernet 1/24 eapol status unauthorized interface FastEthernet 1/25 eapol status unauthorized config terminal # # VLAN CONFIGURATION # no vlan members 1 1/13,1/20-1/25 portmember vlan create 2 type port 1 no vlan members 2 1/1-1/12,1/14-1/19,1/26-1/48,2/1-2/24,5/1-5/8 portmember vlan members 2 1/13,1/20-1/25 portmember interface VLAN 2 ip address config terminal # # RADIUS CONFIGURATION # radius-server host key eap8300 useby eapol acct-port 1813 radius # # GLOBAL EAP CONFIGURATION # eapol Configuring and Managing Security using the NNCLI and CLI

300 300 Chapter 17 NNCLI configuration examples Configuring EAPoL via Layer 3 Figure 84 EAPoL via L3 In this configuration example, the Ethernet Routing Switch 8300 is connected to a routed core. Specifically, this configuration example shows how to perform the following tasks: Create VLAN 2 with port 1/13 and IP address of /24 to be used to connect to the core network. Create VLAN 3 with ports 1/20 and 1/21 and IP address of /24 to be used for the EAPoL Supplicants. Add a static default route pointing to on the Ethernet Routing Switch 8600 switch B. Configure RADIUS-server pointing to the authentication server. Figure 84 illustrates this configuration example. Core (OSPF) Ethernet Routing Switch 8600 A Ethernet Routing Switch 8600 B 1/24 Ethernet Routing Switch /13 1/25 EAP Supplicants x/ x/ x/24 RADIUS Authentication Server VLAN 2 VLAN /24 Configure Ethernet Routing Switch 8600 B with static route for /24 network and enable OSPF static route redistribution. EAPvial3 To configure the switch for this example, follow these steps: 1 Remove ports from the default VLAN: Passport-8310:5(config)#vlan members remove 1 1/13, 1/ 24-1/25 2 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5(config)#vlan create 2 type port C

301 3 If required, enable VLAN tagging on port 1/13: Chapter 17 NNCLI configuration examples 301 Passport-8310:5(config)#interface fastethernet 1/13 Passport-8310:5(config-if)#encapsulation dot1q Passport-8310:5(config-if)#exit 4 Add VLAN members: Passport-8310:5(config)#vlan members add 2 1/13 5 Add IP address to VLAN 2: Passport-8310:5(config)#interface vlan 2 Passport-8310:5(config-if)#ip address Passport-8310:5(config-if)#exit 6 Create VLAN 3 as a port-based VLAN using STG 1: Passport-8310:5(config)#vlan create 3 type port 1 7 Add VLAN members: Passport-8310:5(config)#vlan members add 3 1/24-1/25 8 Add an IP address to VLAN 3: Passport-8310:5(config)#interface vlan 3 Passport-8310:5(config-if)#ip address Passport-8310:5(config-if)#exit 9 Add static route: Passport-8310:5(config)#ip route Enable EAPoL globally: Passport-8310:5(config)#eapol 11 Enable EAPoL on ports 1/24 and 1/25: a Go to ports 1/24-1/25: b Passport-8310:5(config)#interface fastethernet 1/24-1/ 25 Set EAPoL status to auto: Passport-8310:5(config-if)#eapol status auto Passport-8310:5(config-if)#exit Configuring and Managing Security using the NNCLI and CLI

302 302 Chapter 17 NNCLI configuration examples 12 Add the RADIUS server configuration: a Enable RADIUS globally b Passport-8310:5(config)#radius Add the RADIUS server; use the RADIUS key eap8300. Passport-8310:5(config)#radius-server host key eap8300 useby eap C

303 Chapter 17 NNCLI configuration examples 303 Configuration files This section shows the configuration commands and parameters used to create the topology shown in Figure 84 on page 300. You can copy and paste the command outputs shown here to update your configuration files. # PORT CONFIGURATION - PHASE I # interface FastEthernet 1/24 eapol status auto interface FastEthernet 1/25 eapol status auto config terminal # # VLAN CONFIGURATION # no vlan members 1 1/13,1/24-1/25 portmember vlan create 2 type port 1 no vlan members 2 1/1-1/12,1/14-1/48,2/1-2/24,5/1-5/8 portmember vlan members 2 1/13 portmember interface VLAN 2 ip address config terminal vlan create 3 type port 1 color 2 no vlan members 3 1/1-1/23,1/26-1/48,2/1-2/24,5/1-5/8 portmember vlan members 3 1/24-1/25 portmember interface VLAN 3 ip address config terminal ## ip route preference 5 # # RADIUS CONFIGURATION # radius-server host key eap8300 useby eapol acct-port 1813 radius # # GLOBAL EAP CONFIGURATION # eapol Configuring and Managing Security using the NNCLI and CLI

304 304 Chapter 17 NNCLI configuration examples Configuring SNMPv3 In this configuration example, you add two users with different MIB permissions and privacy protocols to the USM table. Specifically, this configuration example shows how to perform the following tasks: Add User 1 to the USM table with an authentication protocol of MD5 and a privacy protocol of DES (authpriv). Allow User 1 full MIB views with full permission (both read and write), starting from the existing org level. Add User 2 to the USM table with an authentication protocol of MD5 and no privacy protocol (authnopriv). Allow User 2 full MIB read permission, starting from the existing org level, but excluding write permission from all private Enterprise MIBs. Note: The org level gives users access to both the standard MIB and private tree branches; the private level gives users access to only MIB objects below the private branch of the MIB tree. Figure 85 illustrates this configuration example. Figure 85 SNMPv3 for users with different permissions/privacy protocols Configure User 1 with MD5 and privacy protocol DES and full read/write permissions User 1 SNMPv3 Access Ethernet Routing Switch 8300 User 2 USM table Configure User 2 with MD5 and no privacy protocol and read-only permission snmpv C

305 Chapter 17 NNCLI configuration examples 305 To configure the switch for this example, follow these steps: 1 Load the DES module: After you have installed the DES module on the Ethernet Routing Switch 8300, enter the following command: Passport-8310:5(config)# load-module des /flash/ p83c2200.des 2 Add User 1 to the USM table. For this example, specify a user name of user1, an MD5 password of user1234, and a DES privacy password of userpriv. Passport-8310:5(config)# snmp-server user user1 md5 auth user1234 priv userpriv 3 Add User 1 to the USM group. For this example, add user1 to a USM group named group_1. Passport-8310:5(config)# snmp-server member user1 usm group_1 4 Assign access level to the USM group. For this example, assign an access level of authpriv to the USM group group_1. Passport-8310:5(config)# snmp-server group group_1 "" usm authpriv 5 Assign read and write view to the USM group. For this example, assign read and write view, starting at org, to the USM group group_1. Passport-8310:5(config)# snmp-server group view group_1 "" usm authpriv read-view org write-view org 6 Add User 2 to the USM table. For this example, specify a user name of user2, and a MD5 password of user2abcd. Passport-8310:5(config)# snmp-server user user2 md5 auth user2abcd 7 Add User 2 to the USM group. For this example, add User 2 to the group named group_1 that you created in step 3. Passport-8310:5(config)# snmp-server member user2 usm group_1 Configuring and Managing Security using the NNCLI and CLI

306 306 Chapter 17 NNCLI configuration examples 8 Assign the access level to the USM group. For this example, assign an access level of authnopriv to the USM group group_1. Passport-8310:5(config)# snmp-server group group_1 "" usm authnopriv 9 Create a new MIB view to exclude the private MIB for User 2. For this example, add a new MIB view named private to exclude access to the SNMP Private MIB. Passport-8310:5(config)# snmp-server view private type exclude 10 Assign read and write view to the USM group. For this example, assign read view only, starting at org, and read and write view, starting at the private, to the USM group group_1. Passport-8310:5(config)# snmp-server group view group_1 "" usm authnopriv read-view org write-view private C

307 Chapter 17 NNCLI configuration examples 307 Configuration files This section shows the configuration commands and parameters used to set up User 1 and User 2 for SNMPv3, as shown in Figure 85 on page 304. You can copy and paste the command outputs shown here to update your configuration files. # # SNMP V3 GROUP MEMBERSHIP CONFIGURATION # snmp-server member user1 usm group_1 snmp-server member user2 usm group_1 # # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-server group "group_1" "" usm authnopriv snmp-server group view "group_1" "" usm authnopriv read-view "org" write-view "private" snmp-server group "group_1" "" usm authpriv snmp-server group view "group_1" "" usm authpriv read-view "org" write-view "org" # # SNMP V3 MIB VIEW CONFIGURATION # snmp-server view create private type exclude # Configuring TACACS+ In this configuration example, you configure the Ethernet Routing Switch 8300 to use TACACS+ to authenticate and authorize different levels of users. In this scenario, both the management PC and the TACACS+ server reside in the same subnet of a local Ethernet port (see Figure 86 on page 308). A routed configuration where the PC and the server sit on a separate subnet is also supported. Configuring and Managing Security using the NNCLI and CLI

308 308 Chapter 17 NNCLI configuration examples Figure 86 TACACS+ server and management PC on the same subnet Slot 1, Port 8 (1/8) Corporate network Management PC Ethernet Routing Switch 8300 Management IP: TACACS+ server Supported TACACS+ servers The following TACACS+ servers are supported by Nortel: Cisco ACS (version 3.2) ClearBox (version 2.4.5) Linux Freeware TACPLUS (version ) TACACS+ configuration example To configure the switch for this example: 1 Configure the management VLAN. For example, from the Global configuration mode, create the port-based management VLAN 10 in STG 1. Add the local Ethernet port (1/8), and identify the management IP address and netmask: Passport-8310:5(config)# vlan create 10 type port 1 Passport-8310:5(config)# vlan members add 10 1/8 Passport-8310:5(config)# interface vlan C

309 Chapter 17 NNCLI configuration examples 309 Passport-8310:5(config-if)# ip address Configure the Ethernet Routing Switch to point to the TACACS+ server for authentication. In this example, the secret key string is secret. Passport-8310:5# tacacs server key secret 3 Enable TACACS+. Passport-8310:5# tacacs enable Configuring the TACACS+ server On the TACACS+ server, you must define the following items: user profiles and corresponding authorization levels (see TACACS+ access levels on page 80 for information on Ethernet Routing Switch 8300 access levels and privileges) a client (in this case, the Ethernet Routing Switch 8300) Note: The secret key string configured on the Ethernet Routing Switch 8300 must match that configured on the TACACS+ server. Refer to Appendix A, TACACS+ server configuration examples, on page 325 for TACACS+ server configuration examples. Configuring and Managing Security using the NNCLI and CLI

310 310 Chapter 17 NNCLI configuration examples C

311 311 Chapter 18 CLI configuration examples This chapter provides examples of common EAPoL and SNMPv3 configuration tasks, including the CLI commands you use to create the example configurations. Note: For a complete description of CLI commands you can use to configure specific EAPoL and SNMPv3 tasks, including those shown in this chapter, see the appropriate CLI chapter in this guide. This chapter includes the following topics: Topic Page Configuring EAPoL through L2 311 Configuring EAPoL through L3 315 Configuring SNMPv3 318 Configuring TACACS+ 321 Configuring EAPoL through L2 In this configuration example, you use VLAN 2 for the EAPoL Supplicants, ports 1/20-1/25. You use port 1/13 for the trunk port to the Ethernet Routing Switch 8600 core. Only ports 1/20 and 1/21 are ready for EAPoL users. The other EAPoL Supplicant ports (1/22-1/25) are reserved for future EAPoL use; configure these ports so that they cannot be accessed. Specifically, this configuration example shows how to perform the following tasks: Create VLAN 2 for EAPoL with port 1/13 and ports 1/20-1/25 Use IP address of /24 on VLAN 2 Configure ports 1/20 and 1/21 for EAPoL auto Configuring and Managing Security using the NNCLI and CLI

312 312 Chapter 18 CLI configuration examples Figure 87 EAPoL via L2 Configure ports 1/22-1/25 for EAPoL force-unauthorized Configure a RADIUS-server on the Ethernet Routing Switch 8300 that points to the Authentication Server Figure 87 illustrates this configuration example. Core Ethernet Routing Switch 8600 A Ethernet Routing Switch 8600 B EAP Authenticator 1/20 1/21 EAP Supplicants RADIUS Authentication Server /24 VLAN 2 1/13 Ethernet Routing Switch /22-1/25 Reserved for future EAP users x/24 EAPvial2 To configure the switch for this example, follow these steps: 1 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 2 create byport 1 2 If required, enable VLAN tagging on port 1/13: Passport-8310:5# config ethernet 1/13 perform-tagging enable 3 Add VLAN members: Passport-8310:5# config vlan 2 ports add 1/13,1/20-1/25 4 Remove port members from the default VLAN: Passport-8310:5# config vlan 1 ports remove 1/13,1/20-1/ 25 5 Add IP address to VLAN 2: Passport-8310:5# config vlan 2 ip create / C

313 6 Enable EAPoL globally: Chapter 18 CLI configuration examples 313 Passport-8310:5# config sys set eapol enable 7 Enable EAPoL on ports 1/20 and 1/21: Passport-8310:5# config ethernet 1/20-1/21 eapol admin-status auto 8 Set ports 1/22-1/25 to EAPoL unauthorized: Passport-8310:5# config ethernet 1/22-1/25 eapol admin-status force-unauthorized 9 Add the RADIUS server configuration: a Enable RADIUS globally: b Passport-8310:5# config radius enable true Add the RADIUS server, assuming the RADIUS key = eap8300: Passport-8310:5# config radius server create secret eap8300 usedby eap Configuring and Managing Security using the NNCLI and CLI

314 314 Chapter 18 CLI configuration examples Configuration files This section shows the configuration commands and parameters used to create the topology shown in Figure 87 on page 312. You can copy and paste the command outputs shown here to update your configuration files. # # PORT CONFIGURATION - PHASE I # ethernet 1/20 eapol admin-status auto ethernet 1/21 eapol admin-status auto ethernet 1/22 eapol admin-status force-unauthorized ethernet 1/23 eapol admin-status force-unauthorized ethernet 1/24 eapol admin-status force-unauthorized ethernet 1/25 eapol admin-status force-unauthorized # # # VLAN CONFIGURATION # vlan 1 ports remove 1/13,1/20-1/25 member portmember vlan 2 create byport 1 vlan 2 ports remove 1/1-1/12,1/14-1/19,1/26-1/48,2/1-2/24,5/1-5/8 member portmember vlan 2 ports add 1/13,1/20-1/25 member portmember vlan 2 ip create / # # # RADIUS CONFIGURATION # radius server create secret eap8300 usedby eapol acct-port 1813 radius enable true # # GLOBAL EAP CONFIGURATION # sys set eapol enable back C

315 Configuring EAPoL through L3 Figure 88 EAPoL via L3 Chapter 18 CLI configuration examples 315 In this configuration example, the Ethernet Routing Switch 8300 is connected to a routed core. Specifically, this configuration example shows how to perform the following tasks: Create VLAN 2 with port 1/13 and IP address of /24 to be used to connect to the core network. Create VLAN 3 with ports 1/20 and 1/21 and IP address of /24 to be used for the EAPoL Supplicants. Add a static default route pointing to on Ethernet Routing Switch 8600 switch B. Configure RADIUS-server pointing to the authentication server. Figure 88 illustrates this configuration example. Core (OSPF) Ethernet Routing Switch 8600 A Ethernet Routing Switch 8600 B 1/24 Ethernet Routing Switch /13 1/25 EAP Supplicants x/ x/ x/24 RADIUS Authentication Server VLAN 2 VLAN /24 Configure Ethernet Routing Switch 8600 B with static route for /24 network and enable OSPF static route redistribution. EAPvial3 To configure the switch for this example, follow these steps: 1 Remove ports from the default VLAN: Passport-8310:5# config vlan 1 ports remove 1/13,1/24-1/ 25 2 Create VLAN 2 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 2 create byport 1 Configuring and Managing Security using the NNCLI and CLI

316 316 Chapter 18 CLI configuration examples 3 If required, enable VLAN tagging on port 1/13: Passport-8310:5# config ethernet 1/13 perform-tagging enable 4 Add VLAN members: Passport-8310:5# config vlan 2 ports add 1/13 5 Add IP address to VLAN 2: Passport-8310:5# config vlan 2 ip create /24 6 Create VLAN 3 as a port-based VLAN using STG 1: Passport-8310:5# config vlan 3 create byport 1 7 Add VLAN members: Passport-8310:5# config vlan 3 ports add 1/24-1/25 8 Add IP address to VLAN 3: Passport-8310:5# config vlan 3 ip create /24 9 Add static route: Passport-8310:5# config ip static-route create /0 next-hop cost 1 10 Enable EAPoL globally: Passport-8310:5# config sys set eapol enable 11 Enable EAPoL on ports 1/24 and 1/25: Passport-8310:5# config ethernet 1/24-1/25 eapol admin-status auto 12 Add the RADIUS server configuration: a Enable RADIUS Globally b Passport-8310:5# config radius enable true Add the RADIUS server, assuming the RADIUS key = eap8300 Passport-8310:5# config radius server create secret eap8300 usedby eap C

317 Chapter 18 CLI configuration examples 317 Configuration files This section shows the configuration commands and parameters used to create the topology shown in Figure 88 on page 315. You can copy and paste the command outputs shown here to update your configuration files. # # PORT CONFIGURATION - PHASE I # ethernet 1/1 eapol reauthentication true ethernet 1/24 eapol admin-status auto ethernet 1/25 eapol admin-status auto # # VLAN CONFIGURATION # vlan 1 ports remove 1/13,1/24-1/25 member portmember vlan 2 create byport 1 vlan 2 ports remove 1/1-1/12,1/14-1/48,2/1-2/24,5/1-5/8 member portmember vlan 2 ports add 1/13 member portmember vlan 2 ip create / vlan 3 create byport 1 vlan 3 ports remove 1/1-1/23,1/26-1/48,2/1-2/24,5/1-5/8 member portmember vlan 3 ports add 1/24-1/25 member portmember vlan 3 ip create / # ip static-route create / next-hop cost 1 # # # RADIUS CONFIGURATION # radius server create secret eap8300 usedby eapol acct-port 1813 radius enable true # # GLOBAL EAP CONFIGURATION # sys set eapol enable back Configuring and Managing Security using the NNCLI and CLI

318 318 Chapter 18 CLI configuration examples Configuring SNMPv3 In this configuration example, you add two users to the USM table with different MIB permissions and privacy protocols to the USM table. Specifically, this configuration example shows how to perform the following tasks: Add User 1 to the USM table with an authentication protocol of MD5 and a privacy protocol of DES (authpriv). Allow User 1 full MIB views with full permission (both read and write), starting from the existing org level. Add User 2 to the USM table with an authentication protocol of MD5 and no privacy protocol (authnopriv). Allow User 2 full MIB read permission, starting from the existing org level, but excluding write permission from all Private Enterprise MIBs. Note: The org level gives users access to both the standard MIB and private tree branches; the private level gives users access to only MIB objects below the private branch of the MIB tree. Figure 89 illustrates this configuration example. Figure 89 SNMPv3 for users with different permissions/privacy protocols Configure User 1 with MD5 and privacy protocol DES and full read/write permissions User 1 SNMPv3 Access Ethernet Routing Switch 8300 User 2 USM table Configure User 2 with MD5 and no privacy protocol and read-only permission snmpv C

319 Chapter 18 CLI configuration examples 319 To configure the switch for this example, follow these steps: 1 Load the DES module: After you have installed the DES module on the Ethernet Routing Switch 8300, enter the following command: Passport-8310:5# config load-module DES /flash/ p83c2200.des 2 Add User 1 to the USM table. For this example, specify a user name of user1, an MD5 password of user1234, and a DES privacy password of userpriv. Passport-8310:5# config snmp-v3 usm create user1 md5 auth user1234 priv userpriv 3 Add User 1 to the USM group. For this example, add user1 to a USM group named group_1. Passport-8310:5# config snmp-v3 group-member create user1 usm group_1 4 Assign access level to the USM group. For this example, assign an access level of authpriv to the USM group group_1. Passport-8310:5# config snmp-v3 group-access create group_1 "" usm authpriv 5 Assign read and write view to the USM group. For this example, assign read and write view, starting at org, to the USM group group_1. Passport-8310:5# config snmp-v3 group-access view group_1 "" usm authpriv read org write org 6 Add User 2 to the USM table. For this example, specify a user name of user2, and a MD5 password of user2abcd. Passport-8310:5# config snmp-v3 usm create user2 md5 auth user2abcd 7 Add User 2 to the USM group. For this example, add User 2 to the group named group_1 that you created in step 3. Passport-8310:5# config snmp-v3 group-member create user2 usm group_1 Configuring and Managing Security using the NNCLI and CLI

320 320 Chapter 18 CLI configuration examples 8 Assign the access level to the USM group. For this example, assign an access level of authnopriv to the USM group group_1. Passport-8310:5# config snmp-v3 group-access create group_1 "" usm authnopriv 9 Create a new MIB view to exclude the private MIB for User 2. For this example, add a new MIB view named private to exclude access to the SNMP Private MIB. Passport-8310:5# config snmp-v3 mib-view create private type exclude 10 Assign read and write view to the USM group. For this example, assign read view only, starting at org, and read and write view, starting at private, to the USM group group_1. Passport-8310:5# config snmp-v3 group-access view group_1 "" usm authnopriv read org write private C

321 Chapter 18 CLI configuration examples 321 Configuration files This section shows the configuration commands and parameters used to set up User 1 and User 2 for SNMPv3, as shown in Figure 89 on page 318. You can copy and paste the command outputs shown here to update your configuration files. # # SNMP V3 GROUP MEMBERSHIP CONFIGURATION # snmp-v3 group-member create user1 usm group_1 snmp-v3 group-member create user2 usm group_1 # # SNMP V3 GROUP ACCESS CONFIGURATION # snmp-v3 group-access create group_1 "" usm authnopriv snmp-v3 group-access view group_1 "" usm authnopriv read "org" write "private" snmp-v3 group-access create group_1 "" usm authpriv snmp-v3 group-access view group_1 "" usm authpriv read "org" write "org" # # SNMP V3 MIB VIEW CONFIGURATION # snmp-v3 mib-view create private type exclude # Configuring TACACS+ In this configuration example, you configure the Ethernet Routing Switch 8300 to use TACACS+ to authenticate and authorize different levels of users. In this scenario, both the management PC and the TACACS+ server reside in the same subnet of a local Ethernet port (see Figure 90 on page 322). A routed configuration where the PC and the server sit on a separate subnet is also supported. Configuring and Managing Security using the NNCLI and CLI

322 322 Chapter 18 CLI configuration examples Figure 90 TACACS+ server and management PC on the same subnet Slot 1, Port 8 (1/8) Corporate network Management PC Ethernet Routing Switch 8300 Management IP: TACACS+ server Supported TACACS+ servers The following TACACS+ servers are supported by Nortel: Cisco ACS (version 3.2) ClearBox (version 2.4.5) Linux Freeware TACPLUS (version ) TACACS+ configuration example To configure the switch for this example: 1 Configure the management VLAN. For example, create the port-based management VLAN 10 in STG 1. Add the local Ethernet port (1/8), and identify the management IP address and netmask: Passport-8310:5# config vlan 10 create byport 1 Passport-8310:5# config vlan 10 ports add 1/8 Passport-8310:5# config vlan 10 ip create / C

323 Chapter 18 CLI configuration examples Configure the Ethernet Routing Switch to point to the TACACS+ server for authentication. In this example, the secret key string is secret. Passport-8310:5# config tacacs server create secret secret 3 Enable TACACS+. Passport-8310:5# config tacacs enable true Configuring the TACACS+ server On the TACACS+ server, you must define the following items: user profiles and corresponding authorization levels (see TACACS+ access levels on page 80 for information on Ethernet Routing Switch 8300 access levels and privileges) a client (in this case, the Ethernet Routing Switch 8300) Note: The secret key string configured on the Ethernet Routing Switch 8300 must match that configured on the TACACS+ server. Refer to Appendix A, TACACS+ server configuration examples, on page 325 for TACACS+ server configuration examples. Configuring and Managing Security using the NNCLI and CLI

324 324 Chapter 18 CLI configuration examples C

325 325 Appendix A TACACS+ server configuration examples Refer to the following sections for basic configuration examples of the TACACS+ server: Configuration example: Cisco ACS server on page 325 Configuration example: ClearBox server on page 331 Configuration example: Linux freeware server on page 343 Configuration example: Cisco ACS server In this example, the Cisco ACS (version 3.2) TACACS+ server is configured. Figure 91 on page 326 shows the main administration window. Refer to vendor documentation for your server for specific configuration procedures. Configuring and Managing Security using the NNCLI and CLI

326 326 Appendix A TACACS+ server configuration examples Figure 91 Cisco ACS (version 3.2) main administration window 1 Define the users and the corresponding authorization levels. If you map users to default group settings, it is easier to remember which user belongs to each group. For example, the rwa user belongs to group 6 to match Privilege level 6. All rwa user settings are picked up from group 6 by default. Figure 92 on page 327 shows a sample Group Setup window C

327 Appendix A TACACS+ server configuration examples 327 Figure 92 Group Setup window Cisco ACS server configuration 2 Configure the server settings. Figure 93 on page 328 shows a sample Network Configuration window to configure the authorization, authentication, and accounting (AAA) server for TACACS+. Configuring and Managing Security using the NNCLI and CLI

328 328 Appendix A TACACS+ server configuration examples Figure 93 Network Configuration window server setup 3 Define the client. Figure 94 on page 329 shows a sample Network Configuration window to configure the client. Authenticate using TACACS+. Single-connection can be used, but this must match the configuration on the Ethernet Routing Switch C

329 Appendix A TACACS+ server configuration examples 329 Figure 94 Network Configuration window client setup 4 Verify the groups you have configured. In this example, the user is associated with a user group (see Figure 95 on page 330). An rwa account belongs to group 6, therefore its privilege level corresponds to the settings for groups 6. The ro accounts belong to group 0, L1 accounts belong to group 2, and so on. Configuring and Managing Security using the NNCLI and CLI

330 330 Appendix A TACACS+ server configuration examples Figure 95 Group Setup window viewing the group setup 5 View users, their status, and the corresponding group to which each belongs. Figure 96 on page 331 shows a sample User Setup window. You can use this window to find, add, edit, and view users settings C

331 Appendix A TACACS+ server configuration examples 331 Figure 96 User Setup window Cisco ACS server configuration Configuration example: ClearBox server 1 Run the General Extension Configurator and configure the user data source (see Figure 97 on page 332). In this example, Microsoft Access was used to create a database of user names and authorization levels; the general.mdb file needs to include these users. Configuring and Managing Security using the NNCLI and CLI

332 332 Appendix A TACACS+ server configuration examples Figure 97 General Extension Configurator 2 Create a Client entry for (see Figure 86 on page 308) by right-clicking the TACACS+ Clients item. The TACACS+ Client, in this case, is the Ethernet Routing Switch Enter the appropriate information. The shared secret needs to match the value configured on the Ethernet Routing Switch C

333 Figure 98 Creating a client entry Appendix A TACACS+ server configuration examples 333 The default realm Authentication tab will look like that in Figure 99 on page 334. Configuring and Managing Security using the NNCLI and CLI

334 334 Appendix A TACACS+ server configuration examples Figure 99 Default realm Authentication tab 3 Select Realms > def > Authorization tab. A new service is required that allows the server to assign certain levels of access. 4 Click the + button to add an attribute-value pair for privilege levels. See Figure 100 on page C

335 Appendix A TACACS+ server configuration examples 335 Figure 100 Default realm Authorization tab 5 Enter information in the window as shown in Figure 101 on page Click + to add the parameters for the query. Configuring and Managing Security using the NNCLI and CLI

336 336 Appendix A TACACS+ server configuration examples Figure 101 Adding parameters for the query 7 Use the string shown in Figure 102 for the authorization query. Figure 102 Authorization Query window C

337 Appendix A TACACS+ server configuration examples 337 The final window should look like that in Figure 103. Figure 103 Query parameters added to Authorization Attribute-Value Pairs window 8 Click OK. The information appears on the Authorization tab (see Figure 104 on page 338). Configuring and Managing Security using the NNCLI and CLI

338 338 Appendix A TACACS+ server configuration examples Figure 104 Authorization attribute-value pairs added to Authorization tab 9 Navigate to the general.mdb file as specified earlier. Note that Microsoft Access or third party software is required to read this file. This user table should look like that in Figure 105 on page 339. If the Privilege column does not exist, create one and populate it according to the desired access level. Note: When using the 30-day demo for ClearBox, the user names cannot be more than four characters in length C

339 Appendix A TACACS+ server configuration examples 339 Figure 105 Users table Microsoft Access 10 Run the Server Manager (you must now start the server). See Figure Click the Connect button. Figure 106 ClearBox Server Manager Configuring and Managing Security using the NNCLI and CLI

340 340 Appendix A TACACS+ server configuration examples The Connect to... dialog box opens (see Figure 107). 12 Click OK (do not fill in any fields). Figure 107 Connect to... dialog box 13 Click OK at the warning message. 14 Click Start. The Server Manager should now look like that in Figure 108 on page 341. Any changes to the General Server Extension Configurator require that the server be restarted C

341 Figure 108 TACACS+ server connected Appendix A TACACS+ server configuration examples Verify that the server is configured correctly. Refer to Figure 109 on page 342. Configuring and Managing Security using the NNCLI and CLI

Installing Enterprise Switch Manager

Installing Enterprise Switch Manager Installing Enterprise Switch Manager NN47300-300 Document status: Standard Document version: 0401 Document date: 26 March 2008 All Rights Reserved The information in this document is subject to change

More information

Installing Enterprise Switch Manager

Installing Enterprise Switch Manager Installing Enterprise Switch Manager ATTENTION Clicking on a PDF hyperlink takes you to the appropriate page If necessary, scroll up or down the page to see the beginning of the referenced section NN47300-300

More information

Installation AC Power Supply

Installation AC Power Supply NN46200-301 (316797-C Rev 01) Document status: Standard Document version: 0301 Document date: 27 August 2007 All Rights Reserved Sourced in Canada and the United States of America The information in this

More information

Fault Management System Messaging Platform Reference

Fault Management System Messaging Platform Reference Fault Management System Messaging Platform Reference NN46200-701 (316806-E Rev 01) Document status: Standard Document version: 0301 Document date: 27 August 2007 All Rights Reserved The information in

More information

Security Configuration and Management

Security Configuration and Management Security Configuration and Management ATTENTION Clicking on a PDF hyperlink takes you to the appropriate page If necessary, scroll up or down the page to see the beginning of the referenced section NN47215-505

More information

Nortel Ethernet Routing Switch 2500 Series Configuration Security. Release: 4.3 Document Revision:

Nortel Ethernet Routing Switch 2500 Series Configuration Security. Release: 4.3 Document Revision: Release: 4.3 Document Revision: 04.01 www.nortel.com NN47215-505. . Release: 4.3 Publication: NN47215-505 Document release date: 22 February 2010 While the information in this document is believed to be

More information

Configuring BGP Services

Configuring BGP Services Part No. 314721-E Rev 00 May 2006 4655 Great America Parkway Santa Clara, CA 95054 Ethernet Routing Switch 8600 Software Release 4.1 2 Copyright 2006 Nortel Networks. All Rights Reserved. The information

More information

Configuring IP Routing and Multicast Operations using Device Manager Ethernet Routing Switch 1600 Series, Software Release 2.1

Configuring IP Routing and Multicast Operations using Device Manager Ethernet Routing Switch 1600 Series, Software Release 2.1 Part No. 321712-B Rev 04 April 2010 4655 Great America Parkway Santa Clara, CA 95054 Configuring IP Routing and Multicast Operations using Device Manager Ethernet Routing Switch 1600 Series, Software Release

More information

Configuration Network Management using NNCLI, CLI, and Device Manager

Configuration Network Management using NNCLI, CLI, and Device Manager Configuration Network Management using NNCLI, CLI, and Device Manager NN46200-502 (316803-C Rev 01) Document status: Standard Document version: 0301 Document date: 27 August 2007 All Rights Reserved Sourced

More information

Contivity 251 Annex B ADSL VPN Switch Release Notes

Contivity 251 Annex B ADSL VPN Switch Release Notes Version 2.00 Part No. 317520-A Rev 01 December 2003 600 Technology Park Drive Billerica, MA 01821-4130 Contivity 251 Annex B ADSL VPN Switch Release Notes *317520-A Rev 01* 2 Copyright 2003 Nortel Networks

More information

Configuring the Contivity VPN Switch

Configuring the Contivity VPN Switch Version 4.07 Part No. 314958-A Rev 00 June 2002 600 Technology Park Drive Billerica, MA 01821-4130 Configuring the Contivity VPN Switch 2 Copyright 2001 Nortel Networks All rights reserved. June 2002.

More information

QUICK START GUIDE. SMS 2500iX Appliance.

QUICK START GUIDE. SMS 2500iX Appliance. QUICK START GUIDE SMS 2500iX Appliance www.24onlinebilling.com QUICK START GUIDE SMS 25iX Appliance www.24onlinebilling.com 1 DEFAULTS The sales packet of 24online includes following list of contents.

More information

Installing the Shrew Soft VPN Client

Installing the Shrew Soft VPN Client Windows Install Installing the Shrew Soft VPN Client ShrewVPNWindows201211-01 Global Technology Associates 3505 Lake Lynda Drive Suite 109 Orlando, FL 32817 Tel: +1.407.380.0220 Fax. +1.407.380.6080 Email:

More information

Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Software Development Kits

Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Software Development Kits Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Software Development Kits Export Controls Export laws and regulations of the United States

More information

Command Line Interface Reference for the Ethernet Routing Switch 1600 Series Switch Ethernet Routing Switch 1600 Series Software Release 2.

Command Line Interface Reference for the Ethernet Routing Switch 1600 Series Switch Ethernet Routing Switch 1600 Series Software Release 2. Part No. 316862-D June 2006 4655 Great America Parkway Santa Clara, CA 95054 Command Line Interface Reference for the Ethernet Routing Switch 1600 Series Switch Ethernet Routing Switch 1600 Series Software

More information

End User License Agreement

End User License Agreement End User License Agreement Kyocera International, Inc. ( Kyocera ) End User License Agreement. CAREFULLY READ THE FOLLOWING TERMS AND CONDITIONS ( AGREEMENT ) BEFORE USING OR OTHERWISE ACCESSING THE SOFTWARE

More information

Agent Support for Optivity NMS 10.2

Agent Support for Optivity NMS 10.2 Part No. 216729-A April 2004 4655 Great America Parkway Santa Clara, CA 95054 Agent Support for Optivity NMS 10.2 ÅÇÅ 2 Copyright 2003 Nortel Networks All rights reserved. April 2004. The information in

More information

Oracle Binary Code License Agreement for Java Secure Sockets Extension for Connected Device Configuration 1.0.2

Oracle Binary Code License Agreement for Java Secure Sockets Extension for Connected Device Configuration 1.0.2 Oracle Binary Code License Agreement for Java Secure Sockets Extension 1.0.3 for Connected Device Configuration 1.0.2 ORACLE AMERICA, INC. ("ORACLE"), FOR AND ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND

More information

Terms of Use. Changes. General Use.

Terms of Use. Changes. General Use. Terms of Use THESE TERMS AND CONDITIONS (THE TERMS ) ARE A LEGAL CONTRACT BETWEEN YOU AND SPIN TRANSFER TECHNOLOGIES ( SPIN TRANSFER TECHNOLOGIES, STT, WE OR US ). THE TERMS EXPLAIN HOW YOU ARE PERMITTED

More information

Scan to Hard Disk. Administrator's Guide

Scan to Hard Disk. Administrator's Guide Scan to Hard Disk Administrator's Guide April 2015 www.lexmark.com Edition notice April 2015 The following paragraph does not apply to any country where such provisions are inconsistent with local law:

More information

Reference for the BayStack F Gigabit Switch Management Software

Reference for the BayStack F Gigabit Switch Management Software Part No. 214393-A March 2003 4655 Great America Parkway Santa Clara, CA 95054 Reference for the BayStack 380-24F Gigabit Switch Management Software 2 Copyright 2003 Nortel Networks All rights reserved.

More information

Agent Support for Optivity NMS 10.3

Agent Support for Optivity NMS 10.3 Part No. 216729-B November 2004 4655 Great America Parkway Santa Clara, CA 95054 Agent Support for Optivity NMS 10.3 *216729-B* 2 Copyright 2004 Nortel Networks All rights reserved. November 2004. The

More information

Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Specifications

Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Specifications Oracle Technology Network Developer License Terms for Java Card Classic Edition and Java Card Connected Edition Specifications Export Controls Export laws and regulations of the United States and any other

More information

Release Notes for BayStack Instant Internet Version

Release Notes for BayStack Instant Internet Version Part No. 206578-E March 2001 4401 Great America Parkway Santa Clara, CA 95054 Release Notes for BayStack Instant Internet Version 7.11.1 *206578-E* 2 Copyright 2001 Nortel Networks All rights reserved.

More information

LOGO LICENSE AGREEMENT(S) CERTIPORT AND IC³

LOGO LICENSE AGREEMENT(S) CERTIPORT AND IC³ LOGO LICENSE AGREEMENT(S) CERTIPORT AND IC³ EXHIBIT B-2 LICENSEE: Address: Attention: Phone: Fax: Email: Account #: CERTIPORT LOGO LICENSE AGREEMENT Authorized Testing Centers This Logo License Agreement

More information

Management Software Web Browser User s Guide

Management Software Web Browser User s Guide FS900M Series Fast Ethernet Switches Management Software Web Browser User s Guide 613-002073 Rev. A Copyright 2014, Allied Telesis, Inc. All rights reserved. No part of this publication may be reproduced

More information

EMPLOYER CONTRIBUTION AGREEMENT

EMPLOYER CONTRIBUTION AGREEMENT EMPLOYER CONTRIBUTION AGREEMENT This Employer Contribution Agreement ( Agreement ) is entered into by and between, your successors and assigns ( You ) and Oracle America, Inc. ( Oracle ) as of the date

More information

TERMS OF USE Effective Date: January 1, 2015 To review material modifications and their effective dates scroll to the bottom of the page. 1.Parties.

TERMS OF USE Effective Date: January 1, 2015 To review material modifications and their effective dates scroll to the bottom of the page. 1.Parties. TERMS OF USE Effective Date: January 1, 2015 To review material modifications and their effective dates scroll to the bottom of the page. 1.Parties. The parties to these Terms of Use are you, and the owner

More information

Network-MIDI Driver Installation Guide

Network-MIDI Driver Installation Guide Network-MIDI Driver Installation Guide ATTENTION SOFTWARE LICENSE AGREEMENT PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ( AGREEMENT ) CAREFULLY BEFORE USING THIS SOFTWARE. YOU ARE ONLY PERMITTED TO USE

More information

CA File Master Plus. Release Notes. Version

CA File Master Plus. Release Notes. Version CA File Master Plus Release Notes Version 9.0.00 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation ) is for

More information

Ludlum Lumic Data Logger Software Manual Version 1.1.xx

Ludlum Lumic Data Logger Software Manual Version 1.1.xx Ludlum Lumic Data Logger Software Manual Version 1.1.xx Ludlum Lumic Data Logger Software Manual Version 1.1.xx Contents Introduction... 1 Software License Agreement... 2 Getting Started... 5 Minimum

More information

Online Localization Service

Online Localization Service DEVELOPER EXPRESS INC DEVEXPRESS Copyright (C) 2011-2017 Developer Express Inc. IMPORTANT- READ CAREFULLY: This DEVELOPER EXPRESS INC ("DEVEXPRESS") End-User License Agreement ("EULA") is a legal agreement

More information

Daniel MeterLink Software v1.40

Daniel MeterLink Software v1.40 Quick Start Manual P/N 3-9000-763, Rev K June 2017 Daniel MeterLink Software v1.40 for Daniel Gas and Liquid Ultrasonic Flow Meters Software License Agreement PLEASE READ THIS SOFTWARE LICENSE AGREEMENT

More information

FONT SOFTWARE END USER LICENSE AGREEMENT. We recommend that you print this Font Software End User License Agreement for further reference.

FONT SOFTWARE END USER LICENSE AGREEMENT. We recommend that you print this Font Software End User License Agreement for further reference. FONT SOFTWARE END USER LICENSE AGREEMENT We recommend that you print this Font Software End User License Agreement for further reference. This Font Software End User License Agreement (the Agreement )

More information

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA)

OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA) OCTOSHAPE SDK AND CLIENT LICENSE AGREEMENT (SCLA) This is a License Agreement (the "Agreement") for certain code (the Software ) owned by Akamai Technologies, Inc. ( Akamai ) that is useful in connection

More information

Nokia Client Release Notes. Version 2.0

Nokia  Client Release Notes. Version 2.0 Nokia Email Client Release Notes Version 2.0 Published June 9, 2008 COPYRIGHT Copyright 1997-2008 Nokia Corporation. All rights reserved. Nokia, Nokia Connecting People, Intellisync, and Intellisync logo

More information

Contivity Secure IP Services Gateway Release Notes

Contivity Secure IP Services Gateway Release Notes Version 4.85 Part No. 315000-E Rev 02 December 2003 600 Technology Park Drive Billerica, MA 01821-4130 Contivity Secure IP Services Gateway Release Notes 2 Copyright 2003 Nortel Networks All rights reserved.

More information

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS

CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS CALSTRS ONLINE AGREEMENT TERMS AND CONDITIONS INTRODUCTION: Before the California State Teachers Retirement System (hereinafter "CalSTRS," "We," or "Us") will provide services found at mycalstrs.com (the

More information

Host Upgrade Utility User Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine

Host Upgrade Utility User Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine Host Upgrade Utility User Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute First Published: August 09, 2013 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive

More information

Bar Code Discovery. Administrator's Guide

Bar Code Discovery. Administrator's Guide Bar Code Discovery Administrator's Guide November 2012 www.lexmark.com Contents 2 Contents Overview...3 Configuring the application...4 Configuring the application...4 Configuring Bar Code Discovery...4

More information

Mobile Banking and Mobile Deposit Terms & Conditions

Mobile Banking and Mobile Deposit Terms & Conditions Mobile Banking and Mobile Deposit Terms & Conditions PLEASE CAREFULLY REVIEW THESE TERMS AND CONDITIONS BEFORE PROCEEDING: This Mobile Banking and Mobile Deposit Addendum ( Addendum ) to the Old National

More information

DME-N Network Driver Installation Guide for M7CL

DME-N Network Driver Installation Guide for M7CL DME-N Network Driver Installation Guide for M7CL ATTENTION SOFTWARE LICENSE AGREEMENT PLEASE READ THIS SOFTWARE LICENSE AGREEMENT ( AGREEMENT ) CAREFULLY BEFORE USING THIS SOFTWARE. YOU ARE ONLY PERMITTED

More information

MERIDIANSOUNDINGBOARD.COM TERMS AND CONDITIONS

MERIDIANSOUNDINGBOARD.COM TERMS AND CONDITIONS MERIDIANSOUNDINGBOARD.COM TERMS AND CONDITIONS Introduction This document sets forth the terms and conditions ("Terms and Conditions") governing your use of the MeridianHealth.com Web site ("Web Site")

More information

TERMS OF SERVICE. Maui Lash Extensions All Rights Reserved.

TERMS OF SERVICE. Maui Lash Extensions All Rights Reserved. TERMS OF SERVICE Electronic Communication: When you visit our website or send e-mails to us, you are communicating with us electronically. You consent to receive communications from us electronically.

More information

Software Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

Software Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) Software Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) First Published: 2017-07-31 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA

More information

RSA Two Factor Authentication

RSA Two Factor Authentication RSA Two Factor Authentication Feature Description VERSION: 6.0 UPDATED: JULY 2016 Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies

More information

Configuration Security Avaya Ethernet Routing Switch 2500 Series

Configuration Security Avaya Ethernet Routing Switch 2500 Series Configuration Security Avaya Ethernet Routing Switch 2500 Series 4.4 NN47215-505, 05.04 July 2012 2012 Avaya Inc. All Rights Reserved. Notice While reasonable efforts have been made to ensure that the

More information

Secure Shell Configuration Guide, Cisco IOS Release 15M&T

Secure Shell Configuration Guide, Cisco IOS Release 15M&T Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION

More information

Reference for the Business Policy Switch 2000 Command Line Interface Release 2.0

Reference for the Business Policy Switch 2000 Command Line Interface Release 2.0 Part No. 212160-B November 2001 4401 Great America Parkway Santa Clara, CA 95054 Reference for the Business Policy Switch 2000 Command Line Interface Release 2.0 2 Copyright 2001 Nortel Networks All rights

More information

Forms on Demand. Administrator's Guide. April

Forms on Demand. Administrator's Guide. April Forms on Demand Administrator's Guide April 2010 www.lexmark.com Lexmark and Lexmark with diamond design are trademarks of Lexmark International, Inc., registered in the United States and/or other countries.

More information

Cisco CSPC 2.7x. Configure CSPC Appliance via CLI. Feb 2018

Cisco CSPC 2.7x. Configure CSPC Appliance via CLI. Feb 2018 Cisco CSPC 2.7x Configure CSPC Appliance via CLI Feb 2018 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. Page 1 of 5 Contents Table of Contents 1. CONFIGURE CSPC

More information

TERMS & CONDITIONS. Complied with GDPR rules and regulation CONDITIONS OF USE PROPRIETARY RIGHTS AND ACCEPTABLE USE OF CONTENT

TERMS & CONDITIONS. Complied with GDPR rules and regulation CONDITIONS OF USE PROPRIETARY RIGHTS AND ACCEPTABLE USE OF CONTENT TERMS & CONDITIONS www.karnevalkings.com (the "Site") is a website and online service owned and operated by the ViisTek Media group of companies (collectively known as "Karnevalkings.com", "we," "group",

More information

SOFTWARE LICENSE LIMITED WARRANTY

SOFTWARE LICENSE LIMITED WARRANTY CYBEROAM INSTALLATION GUIDE VERSION: 5..0..6 IMPORTANT NOTICE Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is presented without warranty

More information

CX Recorder. User Guide. Version 1.0 February 8, Copyright 2010 SENSR LLC. All Rights Reserved. R V1.0

CX Recorder. User Guide. Version 1.0 February 8, Copyright 2010 SENSR LLC. All Rights Reserved. R V1.0 CX Recorder User Guide Version 1.0 February 8, 2010 Copyright 2010 SENSR LLC. All Rights Reserved. R001-418-V1.0 TABLE OF CONTENTS 1 PREAMBLE 3 1.1 Software License Agreement 3 2 INSTALLING CXRECORDER

More information

The Travel Tree Terms and Conditions

The Travel Tree Terms and Conditions The Travel Tree Terms and Conditions Please read the following Terms & Conditions carefully before using this site. Use of this site indicates acceptance of these Terms and Conditions. The following terms

More information

MULTIFUNCTIONAL DIGITAL SYSTEMS. Software Installation Guide

MULTIFUNCTIONAL DIGITAL SYSTEMS. Software Installation Guide MULTIFUNCTIONAL DIGITAL SYSTEMS Software Installation Guide 2013 TOSHIBA TEC CORPORATION All rights reserved Under the copyright laws, this manual cannot be reproduced in any form without prior written

More information

Cisco TEO Adapter Guide for

Cisco TEO Adapter Guide for Release 2.3 April 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part

More information

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement

CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement CERTIFIED MAIL LABELS TERMS OF USE and PRIVACY POLICY Agreement Welcome to Certified Mail Envelopes and Certified Mail Labels web sites (the Site ) a website, trademark and business name owned and operated

More information

VSC-PCTS2003 TEST SUITE TIME-LIMITED LICENSE AGREEMENT

VSC-PCTS2003 TEST SUITE TIME-LIMITED LICENSE AGREEMENT VSC-PCTS2003 TEST SUITE TIME-LIMITED LICENSE AGREEMENT Notes These notes are intended to help prospective licensees complete the attached Test Suite Time-Limited License Agreement. If you wish to execute

More information

Customer Support: For more information or support, please visit or at Product Release Information...

Customer Support: For more information or support, please visit   or  at Product Release Information... Product Release Information Product: Cyberoam Release Number: 9.3.0 build 5 Release Date: 19th July 2006 Compatible versions: 9.2.0 build 2 Upgrade Mode: Manual 1 Important note Upgrade removes all the

More information

Configuration VLANs, Spanning Tree, and Static Link Aggregation using Device Manager

Configuration VLANs, Spanning Tree, and Static Link Aggregation using Device Manager Configuration VLANs, Spanning Tree, and Static Link Aggregation using Device Manager NN46200-510 (317348-E Rev 01) Document status: Standard Document version: 0301 Document date: 27 August 2007 All Rights

More information

SUPPORT MATRIX. HYCU OMi Management Pack for Citrix

SUPPORT MATRIX. HYCU OMi Management Pack for Citrix HYCU OMi Management Pack for Citrix : 2.0 Product release date: October 2017 Document release data: April 2018 Legal notices Copyright notice 2014-2018 HYCU. All rights reserved. This document contains

More information

Managing IP Addressing in Nortel NetID

Managing IP Addressing in Nortel NetID Version 4.5 Part No. June 2005 3500 Carling Avenue Ottawa, ON CANADA Managing IP Addressing in Nortel NetID Version 4.5 June 2005 3500 Carling Avenue Ottawa, ON CANADA 2 Copyright June 2005 Nortel Networks

More information

Videoscape Distribution Suite Software Installation Guide

Videoscape Distribution Suite Software Installation Guide First Published: August 06, 2012 Last Modified: September 03, 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800

More information

Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX

Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX Oracle Binary Code License Agreement for the Java SE Platform Products and JavaFX ORACLE AMERICA, INC. ("ORACLE"), FOR AND ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES UNDER COMMON CONTROL,

More information

1.4 Oracle Linux/Oracle VM Term(s) is defined as the duration for which You have acquired the applicable Oracle Linux/Oracle VM Service Offering(s).

1.4 Oracle Linux/Oracle VM Term(s) is defined as the duration for which You have acquired the applicable Oracle Linux/Oracle VM Service Offering(s). ORACLE LINUX AND ORACLE VM SERVICES AGREEMENT GENERAL TERMS This Oracle Linux and Oracle VM Services Agreement is between Oracle America, Inc. ( Oracle ) and the individual or entity identified below in

More information

PLAINSCAPITAL BANK SAMSUNG PAY TERMS AND CONDITIONS - PERSONAL

PLAINSCAPITAL BANK SAMSUNG PAY TERMS AND CONDITIONS - PERSONAL PLAINSCAPITAL BANK SAMSUNG PAY TERMS AND CONDITIONS - PERSONAL Last Modified: 3/12/2018 These terms and conditions ( Terms and Conditions ) are a legal agreement between you and PlainsCapital Bank that

More information

CA SSO. Agent for Oracle PeopleSoft Release Notes. r12.51

CA SSO. Agent for Oracle PeopleSoft Release Notes. r12.51 CA SSO Agent for Oracle PeopleSoft Release Notes r12.51 This Documentation, which includes embedded help systems and electronically distributed materials (hereinafter referred to as the Documentation ),

More information

Cisco TEO Adapter Guide for SAP Java

Cisco TEO Adapter Guide for SAP Java Release 2.3 April 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part

More information

End User License Agreement

End User License Agreement End User License Agreement This End User License Agreement ( EULA ) is a legal agreement between the end-user Customer of Gigamon hardware and software products ( Customer ) and Gigamon Inc. ( Gigamon

More information

Price List Utilities. For Dynamics CRM 2016

Price List Utilities. For Dynamics CRM 2016 Price List Utilities For Dynamics CRM 2016 Page 1 of 19 Price List Utilities 2016 Copyright Warranty disclaimer Limitation of liability License agreement Copyright 2016 Dynamics Professional Solutions.

More information

Entrust SSL Web Server Certificate Subscription Agreement

Entrust SSL Web Server Certificate Subscription Agreement Entrust SSL Web Server Certificate Subscription Agreement ATTENTION - READ CAREFULLY: THIS SUBSCRIPTION AGREEMENT (THIS "AGREEMENT") IS A LEGAL CONTRACT BETWEEN THE PERSON, ENTITY, OR ORGANIZATION NAMED

More information

SonicWALL CDP 2.1 Agent Tool User's Guide

SonicWALL CDP 2.1 Agent Tool User's Guide COMPREHENSIVE INTERNET SECURITY b SonicWALL CDP Series Appliances SonicWALL CDP 2.1 Agent Tool User's Guide SonicWALL CDP Agent Tool User s Guide Version 2.0 SonicWALL, Inc. 1143 Borregas Avenue Sunnyvale,

More information

Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide

Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide Release 1.5 October, 2013 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide. Addresses, phone

More information

MegaStat Installation Instructions

MegaStat Installation Instructions MegaStat Installation Instructions 1. Download MegaStatInstallationFilesWindows.zip from the website. When you click the download link you will see options at the bottom of the screen that will depend

More information

Epson Professional Imaging

Epson Professional Imaging Epson Professional Imaging Epson Gemini 2 to Epson Gemini K3 Upgrade Program Epson Gemini 2 Customer Information All Fields Required Company Name Gemini K3 Ship To Information Ship To Location Use Same

More information

Ecma International Policy on Submission, Inclusion and Licensing of Software

Ecma International Policy on Submission, Inclusion and Licensing of Software Ecma International Policy on Submission, Inclusion and Licensing of Software Experimental TC39 Policy This Ecma International Policy on Submission, Inclusion and Licensing of Software ( Policy ) is being

More information

MULTIFUNCTIONAL DIGITAL SYSTEMS. Software Installation Guide

MULTIFUNCTIONAL DIGITAL SYSTEMS. Software Installation Guide MULTIFUNCTIONAL DIGITAL SYSTEMS Software Installation Guide 2013 TOSHIBA TEC CORPORATION All rights reserved Under the copyright laws, this manual cannot be reproduced in any form without prior written

More information

TotalShredder USB. User s Guide

TotalShredder USB. User s Guide TotalShredder USB User s Guide Copyright Notice No part of this publication may be copied, transmitted, stored in a retrieval system or translated into any language in any form or by any means without

More information

No Service Password-Recovery

No Service Password-Recovery No Service Password-Recovery Last Updated: January 18, 2012 The No Service Password-Recovery feature is a security enhancement that prevents anyone with console access from accessing the router configuration

More information

Nortel VPN Router Configuration Basic Features

Nortel VPN Router Configuration Basic Features Version 8.00 Part No. NN46110-500 02.01 311642-M Rev 01 13 October 2008 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130 Nortel VPN Router Configuration Basic Features 2 Copyright

More information

fontseek.info outofthedark.xyz

fontseek.info outofthedark.xyz Gza Seminegra 116 pt Gza Seminegra 102 pt Blitz Script 52 pt fontseek.info outofthedark.xyz 1 OWNERSHIP OF PRODUCT AND COPYRIGHT OUT OF THE DARK Print page 1 / 2 a The digital files downloaded to your

More information

Configuration Security

Configuration Security NN47200-501 Document status: Standard Document version: 0401 Document date: 12 November 2008 All Rights Reserved While the information in this document is believed to be accurate and reliable, except as

More information

0Introduction. Overview. This introduction contains general information and tips for using your Avaya CD-ROM.

0Introduction. Overview. This introduction contains general information and tips for using your Avaya CD-ROM. 0 Overview Purpose This introduction contains general information and tips for using your Avaya CD-ROM. Features This offer is designed for all users who want the ease of accessing documentation electronically.

More information

PCMCIA Flash Card User Guide

PCMCIA Flash Card User Guide R R PCMCIA Flash Card User Guide For the CoreBuilder 3500 System Introduction The CoreBuilder 3500 PCMCIA Flash Card is a 20 MB flash card that you can use to save your system software. When you have saved

More information

Mobile Banking Enrollment Terms & Conditions

Mobile Banking Enrollment Terms & Conditions END USER TERMS Mobile Banking Enrollment Terms & Conditions This service is provided to you by Bremer Bank and powered by a Third Party (the Licensor ) mobile technology solution. Section A of these End

More information

SensView User Guide. Version 1.0 February 8, Copyright 2010 SENSR LLC. All Rights Reserved. R V1.0

SensView User Guide. Version 1.0 February 8, Copyright 2010 SENSR LLC. All Rights Reserved. R V1.0 SensView User Guide Version 1.0 February 8, 2010 Copyright 2010 SENSR LLC. All Rights Reserved. R001-419-V1.0 TABLE OF CONTENTS 1 PREAMBLE 3 1.1 Software License Agreement 3 2 INSTALLING SENSVIEW 5 2.1

More information

Product Release Information

Product Release Information Product Release Information Product: Cyberoam Release Number: 9.4.1 build 2 Release Date: 20 th March, 2007 Compatible versions: 9.4.1. build 0 Upgrade: Auto Upgrade Customer Support: For more information

More information

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision:

Nortel Ethernet Routing Switch 5000 Series Configuration Security. Release: 6.1 Document Revision: Release: 6.1 Document Revision: 05.01 www.nortel.com NN47200-501. . Release: 6.1 Publication: NN47200-501 Document release date: 20 May 2009 While the information in this document is believed to be accurate

More information

OKI DICOM Embedded Printer DICOM Printing Function User's Guide

OKI DICOM Embedded Printer DICOM Printing Function User's Guide OKI DICOM Embedded Printer DICOM Printing Function User's Guide C610 DM / C711 DM / C831 DM / C910 DM ES6410 DM / ES7411 DM / ES8431 DM / ES9410 DM Important note: This manual describes all the functionalities

More information

SPECTRUM. Control Panel User Guide (5029) r9.0.1

SPECTRUM. Control Panel User Guide (5029) r9.0.1 SPECTRUM Control Panel User Guide (5029) r9.0.1 This documentation and any related computer software help programs (hereinafter referred to as the Documentation ) is for the end user s informational purposes

More information

vippaq Main App. User Guide

vippaq Main App. User Guide vippaq Main App. User Guide Edition 1d July 2008 Contents 1 INTRODUCTION 3 1.1 3 2 SYSTEM PREPARATION 4 2.1.1 Measuring Head Connection 5 2.1.2 Position the Measuring Heads 5 2.1.3 Start Job 5 3 MEASURE

More information

Telecommunication Systems Division. Persistent Pager Add-on User Guide

Telecommunication Systems Division. Persistent Pager Add-on User Guide Telecommunication Systems Division Persistent Pager Add-on User Guide August 2002 Publication Information Toshiba America Information Systems, Inc., Telecommunication Systems Division, reserves the right,

More information

Packet Trace Guide. Packet Trace Guide. Technical Note

Packet Trace Guide. Packet Trace Guide. Technical Note Packet Trace Guide Technical Note VERSION: 2.0 UPDATED: JANUARY 2016 Copyright Notices Copyright 2002-2016 KEMP Technologies, Inc.. All rights reserved.. KEMP Technologies and the KEMP Technologies logo

More information

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007

Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007 Cisco TEO Adapter Guide for Microsoft System Center Operations Manager 2007 Release 2.3 April 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com

More information

WLAN Location Engine 2340 Using the Command Line Interface

WLAN Location Engine 2340 Using the Command Line Interface WLAN Location Engine 2340 Using the Command Line Interface Avaya WLAN 2300 Release 6.0 Document Status: Standard Document Number: NN47250-505 Document Version: 01.02 2010 Avaya Inc. All Rights Reserved.

More information

Quick Start Guide. BlackBerry Workspaces app for Android. Version 5.0

Quick Start Guide. BlackBerry Workspaces app for Android. Version 5.0 Quick Start Guide BlackBerry Workspaces app for Android Version 5.0 Published: 2017-01-22 SWD-20170122060917401 Contents Overview... 4 Browse workspaces, folders, and files... 5 Create new workspaces,

More information

User s Manual. JAI Control Tool. Operation Manual. Document Version: C Document P/N:10493

User s Manual. JAI Control Tool. Operation Manual. Document Version: C Document P/N:10493 User s Manual JAI Control Tool Operation Manual Document Version: C Document P/N:10493 SOFTWARE LICENSE AGREEMENT PLEASE READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY BEFORE DOWNLOADING OR USING THE

More information

HYCU SCOM Management Pack for F5 BIG-IP

HYCU SCOM Management Pack for F5 BIG-IP USER GUIDE HYCU SCOM Management Pack for F5 BIG-IP Product version: 5.5 Product release date: August 2018 Document edition: First Legal notices Copyright notice 2015-2018 HYCU. All rights reserved. This

More information

Cluster Switch Setup Guide for Cisco Switches. May _A0_UR006

Cluster Switch Setup Guide for Cisco Switches. May _A0_UR006 Cluster Switch Setup Guide for Cisco Switches May 2018 215-06775_A0_UR006 doccomments@netapp.com Table of Contents 3 Contents Switches supported by ONTAP... 4 Setting up the switches... 5 Required cluster

More information